@Preamble{"\input bibnames.sty"}
@String{ack-nhfb = "Nelson H. F. Beebe,
University of Utah,
Department of Mathematics, 110 LCB,
155 S 1400 E RM 233,
Salt Lake City, UT 84112-0090, USA,
Tel: +1 801 581 5254,
FAX: +1 801 581 4148,
e-mail: \path|beebe@math.utah.edu|,
\path|beebe@acm.org|,
\path|beebe@computer.org| (Internet),
URL: \path|http://www.math.utah.edu/~beebe/|"}
@String{j-TISSEC = "ACM Transactions on Information and System
Security"}
@Article{Sandhu:1998:E,
author = "Ravi Sandhu",
title = "Editorial",
journal = j-TISSEC,
volume = "1",
number = "1",
pages = "1--2",
month = nov,
year = "1998",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 27 17:35:45 MDT 1999",
bibsource = "http://www.acm.org/tissec/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p1-sandhu/",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bergadano:1998:HDC,
author = "Francesco Bergadano and Bruno Crispo and Giancarlo
Ruffo",
title = "High dictionary compression for proactive password
checking",
journal = j-TISSEC,
volume = "1",
number = "1",
pages = "3--25",
month = nov,
year = "1998",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 27 17:35:45 MDT 1999",
bibsource = "http://www.acm.org/tissec/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p3-bergadano/",
abstract = "The important problem of user password selection is
addressed and a new proactive password-checking
technique is presented. In a training phase, a decision
tree is generated based on a given dictionary of weak
passwords. Then, the decision tree is used to determine
whether a user password should be accepted.
Experimental results described here show that the
method leads to a very high dictionary compression (up
to 1000 to 1) with low error rates (of the order of
1\%). A prototype implementation, called ProCheck, is
made available online. We survey previous approaches to
proactive password checking, and provide an in-depth
comparison.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "experimentation; management; performance; security",
subject = "{\bf D.4.6} Software, OPERATING SYSTEMS, Security and
Protection, Authentication. {\bf K.6.5} Computing
Milieux, MANAGEMENT OF COMPUTING AND INFORMATION
SYSTEMS, Security and Protection, Authentication.",
}
@Article{Bertino:1998:EBI,
author = "Elisa Bertino and Sabrina {De Capitani Di Vimercati}
and Elena Ferrari and Pierangela Samarati",
title = "Exception-based information flow control in
object-oriented systems",
journal = j-TISSEC,
volume = "1",
number = "1",
pages = "26--65",
month = nov,
year = "1998",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 27 17:35:45 MDT 1999",
bibsource = "http://www.acm.org/tissec/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p26-bertino/",
abstract = "We present an approach to control information flow in
object-oriented systems. The decision of whether an
information flow is permitted or denied depends on both
the authorizations specified on the objects and the
process by which information is obtained and
transmitted. Depending on the specific computations, a
process accessing sensitive information could still be
allowed to release information to users who are not
allowed to directly access it. Exceptions to the
permissions and restrictions stated by the
authorizations are specified by means of exceptions
associated with methods. Two kinds of exceptions are
considered: {\em invoke exceptions,\/} applicable
during a method execution and {\em reply exceptions\/}
applicable to the information returned by a method.
Information flowing from one object into another or
returned to the user is subject to the different
exceptions specified for the methods enforcing the
transmission. We formally characterize information
transmission and flow in a transaction and define the
conditions for safe information flow. We define
security specifications and characterize safe
information flows. We propose an approach to control
unsafe flows and present an algorithm to enforce it. We
also illustrate an efficient implementation of our
controls and present some experimental results
evaluating its performance.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "security",
subject = "{\bf H.2.7} Information Systems, DATABASE MANAGEMENT,
Database Administration, Security, integrity, and
protection. {\bf H.2.4} Information Systems, DATABASE
MANAGEMENT, Systems, Object-oriented databases.",
}
@Article{Reiter:1998:CAW,
author = "Michael K. Reiter and Aviel D. Rubin",
title = "Crowds: anonymity for {Web} transactions",
journal = j-TISSEC,
volume = "1",
number = "1",
pages = "66--92",
month = nov,
year = "1998",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 27 17:35:45 MDT 1999",
bibsource = "http://www.acm.org/tissec/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p66-reiter/",
abstract = "In this paper we introduce a system called Crowds for
protecting users' anonymity on the world-wide-web.
Crowds, named for the notion of ``blending into a
crowd,'' operates by grouping users into a large and
geographically diverse group (crowd) that collectively
issues requests on behalf of its members. Web servers
are unable to learn the true source of a request
because it is equally likely to have originated from
any member of the crowd, and even collaborating crowd
members cannot distinguish the originator of a request
from a member who is merely forwarding the request on
behalf of another. We describe the design,
implementation, security, performance, and scalability
of our system. Our security analysis introduces {\em
degrees of anonymity\/} as an important tool for
describing and proving anonymity properties.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "security",
subject = "{\bf C.2.2} Computer Systems Organization,
COMPUTER-COMMUNICATION NETWORKS, Network Protocols,
Applications (SMTP, FTP, etc.). {\bf C.2.0} Computer
Systems Organization, COMPUTER-COMMUNICATION NETWORKS,
General, Security and protection (e.g., firewalls).
{\bf K.4.1} Computing Milieux, COMPUTERS AND SOCIETY,
Public Policy Issues, Privacy. {\bf K.4.4} Computing
Milieux, COMPUTERS AND SOCIETY, Electronic Commerce,
Security.",
}
@Article{Sandhu:1998:MRM,
author = "Ravi Sandhu and Fang Chen",
title = "The multilevel relational ({MLR}) data model",
journal = j-TISSEC,
volume = "1",
number = "1",
pages = "93--132",
month = nov,
year = "1998",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 27 17:35:45 MDT 1999",
bibsource = "http://www.acm.org/tissec/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p93-sandhu/",
abstract = "Many multilevel relational models have been proposed;
different models offer different advantages. In this
paper, we adapt and refine several of the best ideas
from previous models and add new ones to build the new
Multilevel Relational (MLR) data model. MLR provides
multilevel relations with element-level labeling as a
natural extension of the traditional relational data
model. MLR introduces several new concepts (notably,
data-borrow integrity and the UPLEVEL statement) and
significantly redefines existing concepts
(polyinstantiation and referential integrity as well as
data manipulation operations). A central contribution
of this paper is proofs of soundness, completeness, and
security of MLR. A new {\em data-based\/} semantics is
given for the MLR data model by combining ideas from
SeaView, belief-based semantics, and LDV. This new
semantics has the advantages of both eliminating
ambiguity and retaining upward information flow. MLR is
secure, unambiguous, and powerful. It has five
integrity properties and five operations for
manipulating multilevel relations. Soundness,
completeness, and security show that any of the five
database manipulation operations will keep database
states legal (i.e., satisfy all integrity properties),
that every legal database state can be constructed, and
that MLR is noninterfering. The expressive power of MLR
also compares favorably with several other models.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "security",
subject = "{\bf H.2.7} Information Systems, DATABASE MANAGEMENT,
Database Administration, Security, integrity, and
protection.",
}
@Article{Sandhu:1999:E,
author = "Ravi Sandhu",
title = "Editorial",
journal = j-TISSEC,
volume = "2",
number = "1",
pages = "1--2",
month = feb,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Oct 26 10:21:44 MDT 2000",
bibsource = "http://www.acm.org/tissec/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-1/p1-sandhu/",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Nyanchama:1999:RGM,
author = "Matunda Nyanchama and Sylvia Osborn",
title = "The role graph model and conflict of interest",
journal = j-TISSEC,
volume = "2",
number = "1",
pages = "3--33",
month = feb,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 27 17:35:45 MDT 1999",
bibsource = "http://www.acm.org/tissec/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p3-nyanchama/",
abstract = "We describe in more detail than before the reference
model for role-based access control introduced by
Nyanchama and Osborn, and the role-graph model with its
accompanying algorithms, which is one way of
implementing role-role relationships. An alternative
role insertion algorithm is added, and it is shown how
the role creation policies of Fernandez et al.
correspond to role addition algorithms in our model. We
then use our reference model to provide a taxonomy for
kinds of conflict. We then go on to consider in some
detail privilege-privilege and role-role conflicts in
conjunction with the role graph model. We show how
role-role conflicts lead to a partitioning of the role
graph into nonconflicting collections that can together
be safely authorized to a given user. Finally, in an
appendix, we present the role graph algorithms with
additional logic to disallow roles that contain
conflicting privileges.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "algorithms; management; security",
subject = "{\bf D.4.6} Software, OPERATING SYSTEMS, Security and
Protection, Access controls. {\bf K.6.5} Computing
Milieux, MANAGEMENT OF COMPUTING AND INFORMATION
SYSTEMS, Security and Protection. {\bf G.2.2}
Mathematics of Computing, DISCRETE MATHEMATICS, Graph
Theory, Graph algorithms.",
}
@Article{Ferraiolo:1999:RBA,
author = "David F. Ferraiolo and John F. Barkley and D. Richard
Kuhn",
title = "A role-based access control model and reference
implementation within a corporate intranet",
journal = j-TISSEC,
volume = "2",
number = "1",
pages = "34--64",
month = feb,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 27 17:35:45 MDT 1999",
bibsource = "http://www.acm.org/tissec/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p34-ferraiolo/",
abstract = "This paper describes NIST's enhanced RBAC model and
our approach to designing and implementing RBAC
features for networked Web servers. The RBAC model
formalized in this paper is based on the properties
that were first described in Ferraiolo and Kuhn [1992]
and Ferraiolo et al. [1995], with adjustments resulting
from experience gained by prototype implementations,
market analysis, and observations made by Jansen [1988]
and Hoffman [1996]. The implementation of RBAC for the
Web (RBAC/Web) provides an alternative to the
conventional means of administering and enforcing
authorization policy on a server-by-server basis.
RBAC/Web provides administrators with a means of
managing authorization data at the enterprise level, in
a manner consistent with the current set of laws,
regulations, and practices.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "security; standardization",
subject = "{\bf C.2.4} Computer Systems Organization,
COMPUTER-COMMUNICATION NETWORKS, Distributed Systems.
{\bf C.2.5} Computer Systems Organization,
COMPUTER-COMMUNICATION NETWORKS, Local and Wide-Area
Networks. {\bf D.4.6} Software, OPERATING SYSTEMS,
Security and Protection, Access controls. {\bf D.4.7}
Software, OPERATING SYSTEMS, Organization and Design,
Distributed systems.",
}
@Article{Bertino:1999:SEA,
author = "Elisa Bertino and Elena Ferrari and Vijay Atluri",
title = "The specification and enforcement of authorization
constraints in workflow management systems",
journal = j-TISSEC,
volume = "2",
number = "1",
pages = "65--104",
month = feb,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 27 17:35:45 MDT 1999",
bibsource = "http://www.acm.org/tissec/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p65-bertino/",
abstract = "In recent years, workflow management systems (WFMSs)
have gained popularity in both research and commercial
sectors. WFMSs are used to coordinate and streamline
business processes. Very large WFMSs are often used in
organizations with users in the range of several
thousands and process instances in the range of tens
and thousands. To simplify the complexity of security
administration, it is common practice in many
businesses to allocate a role for each activity in the
process and then assign one or more users to each
role---granting an authorization to roles rather than
to users. Typically, security policies are expressed as
constraints (or rules) on users and roles; {\em
separation of duties\/} is a well-known constraint.
Unfortunately, current role-based access control models
are not adequate to model such constraints. To address
this issue we (1) present a language to express both
static and dynamic authorization constraints as clauses
in a logic program; (2) provide formal notions of
constraint consistency; and (3) propose algorithms to
check the consistency of constraints and assign users
and roles to tasks that constitute the workflow in such
a way that no constraints are violated.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "security",
subject = "{\bf H.2.0} Information Systems, DATABASE MANAGEMENT,
General, Security, integrity, and protection**.",
}
@Article{Sandhu:1999:AMR,
author = "Ravi Sandhu and Venkata Bhamidipati and Qamar
Munawer",
title = "The {ARBAC97} model for role-based administration of
roles",
journal = j-TISSEC,
volume = "2",
number = "1",
pages = "105--135",
month = feb,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 27 17:35:45 MDT 1999",
bibsource = "http://www.acm.org/tissec/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p105-sandhu/",
abstract = "In role-based access control (RBAC), permissions are
associated with roles' and users are made members of
roles, thereby acquiring the roles; permissions. RBAC's
motivation is to simplify administration of
authorizations. An appealing possibility is to use RBAC
itself to manage RBAC, to further provide
administrative convenience and scalability, especially
in decentralizing administrative authority,
responsibility, and chores. This paper describes the
motivation, intuition, and formal definition of a new
role-based model for RBAC administration. This model is
called ARBAC97 (administrative RBAC '97) and has three
components: URA97 (user-role assignment '97), RPA97
(permission-role assignment '97), and RRA97 (role-role
assignment '97) dealing with different aspects of RBAC
administration. URA97, PRA97, and an outline of RRA97
were defined in 1997, hence the designation given to
the entire model. RRA97 was completed in 1998. ARBAC97
is described completely in this paper for the first
time. We also discusses possible extensions of
ARBAC97.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "algorithms; management; security",
subject = "{\bf C.2.4} Computer Systems Organization,
COMPUTER-COMMUNICATION NETWORKS, Distributed Systems.
{\bf D.4.6} Software, OPERATING SYSTEMS, Security and
Protection, Access controls. {\bf D.4.7} Software,
OPERATING SYSTEMS, Organization and Design, Distributed
systems. {\bf G.2.2} Mathematics of Computing, DISCRETE
MATHEMATICS, Graph Theory, Graph algorithms. {\bf
H.2.0} Information Systems, DATABASE MANAGEMENT,
General, Security, integrity, and protection**. {\bf
K.6.5} Computing Milieux, MANAGEMENT OF COMPUTING AND
INFORMATION SYSTEMS, Security and Protection.",
}
@Article{Reiter:1999:AMA,
author = "Michael K. Reiter and Stuart G. Stubblebine",
title = "Authentication metric analysis and design",
journal = j-TISSEC,
volume = "2",
number = "2",
pages = "138--158",
month = may,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Oct 26 11:39:38 MDT 2000",
bibsource = "http://www.acm.org/tissec/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-2/p138-reiter/",
abstract = "Authentication using a path of trusted intermediaries,
each able to authenticate the next in the path, is a
well-known technique for authenticating entities in a
large-scale system. Recent work has extended this
technique to include multiple paths in an effort to
bolster authentication, but the success of this
approach may be unclear in the face of intersecting
paths, ambiguities in the meaning of certificates, and
interdependencies in the use of different keys. Thus,
several authors have proposed metrics to evaluate the
confidence afforded by a set of paths. In this paper we
develop a set of guiding principles for the design of
such metrics. We motivate our principles by showing how
previous approaches failed with respect to these
principles and what the consequences to authentication
might be. We then propose a new metric that appears to
meet our principles, and so to be a satisfactory metric
of authentication.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
generalterms = "Measurement; Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "metrics of authentication; public key infrastructure",
subject = "Software --- Operating Systems --- Security and
Protection (D.4.6): {\bf Authentication}; Computing
Milieux --- Management of Computing and Information
Systems --- Security and Protection (K.6.5): {\bf
Authentication}",
}
@Article{Schneier:1999:SAL,
author = "Bruce Schneier and John Kelsey",
title = "Secure Audit Logs to Support Computer Forensics",
journal = j-TISSEC,
volume = "2",
number = "2",
pages = "159--176",
month = may,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Oct 26 11:39:38 MDT 2000",
bibsource = "http://www.acm.org/tissec/contents/v2no2.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-2/p159-schneier/",
abstract = "In many real-world applications, sensitive information
must be kept it log files on an untrusted machine. In
the event that an attacker captures this machine, we
would like to guarantee that he will gain little or no
information from the log files and to limit his ability
to corrupt the log files. We describe a computationally
cheap method for making all log entries generated prior
to the logging machine's compromise impossible for the
attacker to read, and also impossible to modify or
destroy undetectably.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
generalterms = "Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "audit logs; auditing; authentication; computer
forensics; hash chains; intrusion detection",
subject = "Computer Systems Organization ---
Computer-Communication Networks --- Distributed Systems
(C.2.4); Computer Systems Organization ---
Computer-Communication Networks (C.2); Computer Systems
Organization --- Computer-Communication Networks ---
General (C.2.0); Computer Systems Organization ---
Computer-Communication Networks --- Network Protocols
(C.2.2)",
}
@Article{Jaeger:1999:FCD,
author = "Trent Jaeger and Atul Prakash and Jochen Liedtke and
Nayeem Islam",
title = "Flexible Control of Downloaded Executable Content",
journal = j-TISSEC,
volume = "2",
number = "2",
pages = "177--228",
month = may,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Oct 26 11:39:38 MDT 2000",
bibsource = "http://www.acm.org/tissec/contents/v2no2.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-2/p177-jaeger/",
abstract = "We present a security architecture that enables system
and application access control requirements to be
enforced on applications composed from downloaded
executable content. Downloaded executable content
consists of messages downloaded from remote hosts that
contain executables that run, upon receipt, on the
downloading principal's machine. Unless restricted,
this content can perform malicious actions, including
accessing its downloading principal's private data and
sending messages on this principal's behalf. Current
security architectures for controlling downloaded
executable content (e.g., JDK 1.2) enable specification
of access control requirements for content based on its
provider and identity. Since these access control
requirements must cover every legal use of the class,
they may include rights that are not necessary for a
particular application of content. Therefore, using
these systems, an application composed from downloaded
executable content cannot enforce its access control
requirements without the addition of
application-specific security mechanisms. In this
paper, we define an access control model with the
following properties: (1) system administrators can
define system access control requirements on
applications and (2) application developers can use the
same model to enforce application access control
requirements without the need for ad hoc security
mechanisms. This access control model uses features of
role-based access control models to enable (1)
specification of a single role that applies to multiple
application instances; (2) selection of a content's
access rights based on the content's application and
role in the application; (3) consistency maintained
between application state and content access rights;
and (4) control of role administration. We detail a
system architecture that uses this access control model
to implement secure collaborative applications. Lastly,
we describe an implementation of this architecture,
called the Lava security architecture.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
generalterms = "Management; Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "access control models; authentication; authorization
mechanisms; collaborative systems; role-based access
control",
subject = "Software --- Software Engineering --- Management
(D.2.9): {\bf Software configuration management};
Software --- Operating Systems --- Security and
Protection (D.4.6): {\bf Access controls}; Software ---
Operating Systems --- Security and Protection (D.4.6):
{\bf Invasive software}; Computing Milieux ---
Management of Computing and Information Systems ---
System Management (K.6.4): {\bf
Centralization/decentralization}; Computing Milieux ---
Management of Computing and Information Systems ---
Security and Protection (K.6.5): {\bf Invasive
software}",
}
@Article{Halevi:1999:PKC,
author = "Shai Halevi and Hugo Krawczyk",
title = "Public-Key Cryptography and Password Protocols",
journal = j-TISSEC,
volume = "2",
number = "3",
pages = "230--268",
month = aug,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Oct 26 11:39:38 MDT 2000",
bibsource = "http://www.acm.org/tissec/contents/v2no3.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p230-halevi/",
abstract = "We study protocols for strong authentication and key
exchange in asymmetric scenarios where the
authentication server possesses a pair of private and
public keys while the client has only a weak
human-memorizable password as its authentication key.
We present and analyze several simple password
authentication protocols in this scenario, and show
that the security of these protocols can be formally
proven based on standard cryptographic assumptions.
Remarkably, our analysis shows optimal resistance to
off-line password guessing attacks under the choice of
suitable public key encryption functions. In addition
to user authentication, we describe ways to enhance
these protocols to provide two-way authentication,
authenticated key exchange, defense against server's
compromise, and user anonymity. We complement these
results with a proof that strongly indicates that
public key techniques are unavoidable for password
protocols that resist off-line guessing attacks.
\par
As a further contribution, we introduce the notion of
{\em public passwords\/} that enables the use of the
above protocols in situations where the client's
machine does not have the means to validate the
server's public key. Public passwords serve as
``hand-held certificates'' that the user can carry
without the need for special computing devices.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "dictionary attacks; hand-held certificates; key
exchange; passwords; public passwords; public-key
protocols",
subject = "Computer Systems Organization ---
Computer-Communication Networks --- General (C.2.0):
{\bf Security and protection (e.g., firewalls)};
Computing Milieux --- Management of Computing and
Information Systems --- Security and Protection
(K.6.5): {\bf Authentication}",
}
@Article{Xu:1999:DHP,
author = "Jun Xu and Mukesh Singhal",
title = "Design of a High-Performance {ATM} Firewall",
journal = j-TISSEC,
volume = "2",
number = "3",
pages = "269--294",
month = aug,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Oct 26 11:39:38 MDT 2000",
bibsource = "http://www.acm.org/tissec/contents/v2no3.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p269-xu/",
abstract = "A router-based packet-filtering firewall is an
effective way of protecting an enterprise network from
unauthorized access. However, it will not work
efficiently in an ATM network because it requires the
termination of end-to-end ATM connections at a
packet-filtering router, which incurs huge overhead of
SAR (Segmentation and Reassembly). Very few approaches
to this problem have been proposed in the literature,
and none is completely satisfactory. In this paper we
present the hardware design of a high-speed ATM
firewall that does not require the termination of an
end-to-end connection in the middle. We propose a novel
firewall design philosophy, called Quality of
Firewalling (QoF), that applies security measures of
different strength to traffic with different risk
levels and show how it can be implemented in our
firewall. Compared with the traditional firewalls, this
ATM firewall performs exactly the same packet-level
filtering without compromising the performance and has
the same ``look and feel'' by sitting at the chokepoint
between the trusted ATM LAN and untrusted ATM WAN. It
is also easy to manage and flexible to use.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "asynchronous transfer mode; firewall; packet
filtering; switch architecture; TCP/IP",
subject = "Computer Systems Organization --- Performance of
Systems (C.4): {\bf Performance attributes}; Computer
Systems Organization --- Performance of Systems (C.4);
Computer Systems Organization ---
Computer-Communication Networks --- General (C.2.0);
Computer Systems Organization ---
Computer-Communication Networks --- Network
Architecture and Design (C.2.1): {\bf Asynchronous
Transfer Mode (ATM)}; Computer Systems Organization ---
Computer-Communication Networks --- Internetworking
(C.2.6): {\bf Routers}; Computer Systems Organization
--- Computer-Communication Networks --- Local and
Wide-Area Networks (C.2.5)",
}
@Article{Lane:1999:TSL,
author = "Terran Lane and Carla E. Brodley",
title = "Temporal sequence learning and data reduction for
anomaly detection",
journal = j-TISSEC,
volume = "2",
number = "3",
pages = "295--331",
month = aug,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Oct 26 11:39:38 MDT 2000",
bibsource = "http://www.acm.org/tissec/contents/v2no3.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p295-lane/",
abstract = "The anomaly-detection problem can be formulated as one
of learning to characterize the behaviors of an
individual, system, or network in terms of temporal
sequences of discrete data. We present an approach on
the basis of instance-based learning (IBL) techniques.
To cast the anomaly-detection task in an IBL framework,
we employ an approach that transforms temporal
sequences of discrete, unordered observations into a
metric space via a similarity measure that encodes
intra-attribute dependencies. Classification boundaries
are selected from an {\em a posteriori\/}
characterization of valid user behaviors, coupled with
a domain heuristic. An empirical evaluation of the
approach on user command data demonstrates that we can
accurately differentiate the profiled user from
alternative users when the available features encode
sufficient information. Furthermore, we demonstrate
that the system detects anomalous conditions {\em
quickly\/} --- an important quality for reducing
potential damage by a malicious user. We present
several techniques for reducing data storage
requirements of the user profile, including
instance-selection methods and clustering. As empirical
evaluation shows that a new greedy clustering algorithm
reduces the size of the user model by 70\%, with only a
small loss in accuracy.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "anomaly detection; clustering; data reduction;
empirical evaluation; instance based learning; machine
learning; user profiling",
subject = "Software --- Operating Systems --- Security and
Protection (D.4.6)",
}
@Article{Paulson:1999:IAI,
author = "Lawrence C. Paulson",
title = "Inductive analysis of the {Internet} protocol {TLS}",
journal = j-TISSEC,
volume = "2",
number = "3",
pages = "332--351",
month = aug,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Oct 26 11:39:38 MDT 2000",
bibsource = "http://www.acm.org/tissec/contents/v2no3.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p332-paulson/",
abstract = "Internet browsers use security protocols to protect
sensitive messages. An inductive analysis of TLS (a
descendant of SSL 3.0) has been performed using the
theorem prover Isabelle. Proofs are based on
higher-order logic and make no assumptions concerning
beliefs of finiteness. All the obvious security goals
can be proved; session resumption appears to be secure
even if old session keys are compromised. The proofs
suggest minor changes to simplify the analysis.
\par
TLS, even at an abstract level, is much more
complicated than most protocols verified by
researchers. Session keys are negotiated rather than
distributed, and the protocol has many optional parts.
Netherless, the resources needed to verify TLS are
modest: six man-weeks of effort and three minutes of
processor time.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
generalterms = "Security; Verification",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "authentication; inductive method; Isabelle; proof
tools; TLS",
subject = "Theory of Computation --- Logics and Meanings of
Programs --- Specifying and Verifying and Reasoning
about Programs (F.3.1): {\bf Mechanical verification};
Computer Systems Organization ---
Computer-Communication Networks --- Network Protocols
(C.2.2): {\bf Protocol verification}",
}
@Article{Stubblebine:1999:UST,
author = "Stuart G. Stubblebine and Paul F. Syverson and David
M. Goldschlag",
title = "Unlinkable serial transactions: protocols and
applications",
journal = j-TISSEC,
volume = "2",
number = "4",
pages = "354--389",
month = nov,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Oct 26 11:39:38 MDT 2000",
bibsource = "http://www.acm.org/tissec/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org/pubs/articles/journals/tissec/1999-2-4/p354-stubblebine/p354-stubblebine.pdf;
http://www.acm.org/pubs/citations/journals/tissec/1999-2-4/p354-stubblebine/",
abstract = "We present a protocol for unlinkable serial
transactions suitable for a variety of network-based
subscription services. It is the first protocol to use
cryptographic blinding to enable subscription services.
The protocol prevents the service from tracking the
behavior of its customers, while protecting the service
vendor from abuse due to simultaneous or cloned use by
a single subscriber. Our basic protocol structure and
recovery protocol are robust against failure in
protocol termination. We evaluate the security of the
basic protocol and extend the basic protocol to include
auditing, which further deters subscription sharing. We
describe other applications of unlinkable serial
transactions for pay-per-use trans subscription,
third-party subscription management, multivendor
coupons, proof of group membership, and voting.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
generalterms = "Design; Security; Verification",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "anonymity; blinding; cryptographic protocols;
unlinkable serial transactions",
subject = "Computer Applications --- Administrative Data
Processing (J.1); Software --- Operating Systems ---
Security and Protection (D.4.6): {\bf Access controls};
Software --- Operating Systems --- Security and
Protection (D.4.6): {\bf Cryptographic controls};
Software --- Operating Systems --- Security and
Protection (D.4.6): {\bf Authentication}; Computing
Milieux --- Management of Computing and Information
Systems --- Security and Protection (K.6.5); Computing
Milieux --- Management of Computing and Information
Systems --- Security and Protection (K.6.5): {\bf
Authentication}; Computing Milieux --- Management of
Computing and Information Systems --- Security and
Protection (K.6.5): {\bf Unauthorized access (e.g.,
hacking, phreaking)}; Information Systems ---
Information Storage and Retrieval --- Systems and
Software (H.3.4): {\bf User profiles and alert
services}; Information Systems --- Database Management
--- Systems (H.2.4): {\bf Transaction processing};
Information Systems --- Information Storage and
Retrieval --- Digital Libraries (H.3.7): {\bf User
issues}",
}
@Article{Gabber:1999:SPC,
author = "Eran Gabber and Phillip B. Gibbons and David M.
Kristol and Yossi Matias and Alain Mayer",
title = "On secure and pseudonymous client-relationships with
multiple servers",
journal = j-TISSEC,
volume = "2",
number = "4",
pages = "390--415",
month = nov,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Oct 26 11:39:38 MDT 2000",
bibsource = "http://www.acm.org/tissec/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-4/p390-gabber/",
abstract = "This paper introduces a cryptographic engine, Janus,
which assists clients in establishing and maintaining
secure and pseudonymous relationships with multiple
servers. The setting is such that clients reside on a
particular subnet (e.g., corporate intranet, ISP) and
the servers reside anywhere on the Internet. The Janus
engine allows each client-server relationship to use
either weak or strong authentication on each
interaction. At the same time, each interaction
preserves privacy by neither revealing a clients true
identity (except for the subnet) nor the set of servers
with which a particular client interacts. Furthermore,
clients do not need any secure long-term memory,
enabling scalability and mobility. The interaction
model extends to allow servers to send data back to
clients via e-mail at a later date. Hence, our results
complement the functionality of current network
anonymity tools and remailers. The paper also describes
the design and implementation of the Lucent
Personalized Web Assistant (LPWA), which is a practical
system that provides secure and pseudonymous relations
with multiple servers on the Internet. LPWA employs the
Janus function to generate site-specific person?, which
consist of alias usernames, passwords, and e-mail
addresses.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
generalterms = "Algorithms; Experimentation; Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "anonymity; Janus function; mailbox; persistent
relationship; privacy; pseudonym",
subject = "Computing Milieux --- Management of Computing and
Information Systems --- Security and Protection
(K.6.5): {\bf Authentication}",
}
@Article{Hevia:1999:STD,
author = "Alejandro Hevia and Marcos Kiwi",
title = "Strength of Two {Data Encryption Standard}
Implementations under Timing Attack",
journal = j-TISSEC,
volume = "2",
number = "4",
pages = "416--437",
month = nov,
year = "1999",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Oct 26 11:39:38 MDT 2000",
bibsource = "http://www.acm.org/tissec/contents/v2no2.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-4/p416-hevia/",
abstract = "We study the vulnerability of two implementations of
the Data Encryption Standard (DES) cryptosystem under a
timing attack. A timing attack is a method, recently
proposed by Paul Kocher, that is designed to break
cryptographic systems. It exploits the engineering
aspects involved in the implementation of cryptosystems
and might succeed even against cryptosystems that
remain impervious to sophisticated cryptanalytic
techniques. A timing attack is, essentially, a way of
obtaining some users private information by carefully
measuring the time it takes the user to carry out
cryptographic operations. In this work, we analyze two
implementations of DES. We show that a timing attack
yields the Hamming weight of the key used by both DES
implementations. Moreover, the attack is
computationally inexpensive. We also show that all the
design characteristics of the target system, necessary
to carry out the timing attack, can be inferred from
timing measurements.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
generalterms = "Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "cryptanalysis; cryptography; data encryption standard;
timing attack",
subject = "Data --- Data Encryption (E.3): {\bf Data encryption
standard (DES)**}; Computer Systems Organization ---
Special-Purpose and Application-Based Systems (C.3)",
}
@Article{Frincke:2000:BCR,
author = "Deborah Frincke",
title = "Balancing Cooperation and Risk in Intrusion
Detection",
journal = j-TISSEC,
volume = "3",
number = "1",
pages = "1--29",
month = feb,
year = "2000",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v3no1.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Schneider:2000:ESP,
author = "Fred B. Schneider",
title = "Enforceable Security Policies",
journal = j-TISSEC,
volume = "3",
number = "1",
pages = "30--50",
month = feb,
year = "2000",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v3no1.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Spinellis:2000:RMS,
author = "Diomidis Spinellis",
title = "Reflection as a Mechanism for Software Integrity
Verification",
journal = j-TISSEC,
volume = "3",
number = "1",
pages = "51--62",
month = feb,
year = "2000",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v3no1.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Dolev:2000:XTE,
author = "Shlomi Dolev and Rafail Ostrovsky",
title = "Xor-Trees for Efficient Anonymous Multicast and
Reception",
journal = j-TISSEC,
volume = "3",
number = "2",
pages = "63--84",
month = may,
year = "2000",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v3no2.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Osborn:2000:CRB,
author = "Sylvia Osborn and Ravi Sandhu and Qamar Munawer",
title = "Configuring Role-Based Access Control to Enforce
Mandatory and Discretionary Access Control Policies",
journal = j-TISSEC,
volume = "3",
number = "2",
pages = "85--106",
month = may,
year = "2000",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v3no2.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Wool:2000:KME,
author = "Avishai Wool",
title = "Key Management for Encrypted Broadcast",
journal = j-TISSEC,
volume = "3",
number = "2",
pages = "107--134",
month = may,
year = "2000",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v3no2.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Molva:2000:SMS,
author = "Refik Molva and Alain Pannetrat",
title = "Scalable Multicast Security with Dynamic Recipient
Groups",
journal = j-TISSEC,
volume = "3",
number = "3",
pages = "136--160",
month = aug,
year = "2000",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v3no3.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Cramer:2000:SSB,
author = "Ronald Cramer and Victor Shoup",
title = "Signature Schemes Based on the Strong {RSA}
Assumption",
journal = j-TISSEC,
volume = "3",
number = "3",
pages = "161--185",
month = aug,
year = "2000",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v3no3.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Axelsson:2000:BRF,
author = "Stefan Axelsson",
title = "The Base-Rate Fallacy and the Difficulty of Intrusion
Detection",
journal = j-TISSEC,
volume = "3",
number = "3",
pages = "186--205",
month = aug,
year = "2000",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v3no3.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ahn:2000:RBA,
author = "Gail-Joon Ahn and Ravi Sandhu",
title = "Role-based Authorization Constraints Specification",
journal = j-TISSEC,
volume = "3",
number = "4",
pages = "207--226",
month = nov,
year = "2000",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v3no4.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Lee:2000:FCF,
author = "Wenke Lee and Salvatore J. Stolfo",
title = "A Framework for Constructing Features and Models for
Intrusion Detection Systems",
journal = j-TISSEC,
volume = "3",
number = "4",
pages = "227--261",
month = nov,
year = "2000",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v3no4.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{McHugh:2000:TID,
author = "John McHugh",
title = "Testing Intrusion detection systems: a critique of the
1998 and 1999 {DARPA} intrusion detection system
evaluations as performed by {Lincoln Laboratory}",
journal = j-TISSEC,
volume = "3",
number = "4",
pages = "262--294",
month = nov,
year = "2000",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v3no4.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Chang:2001:RTP,
author = "Ho-Yen Chang and S. Felix Wu and Y. Frank Jou",
title = "Real-Time Protocol Analysis for Detecting Link-State
Routing Protocol Attacks",
journal = j-TISSEC,
volume = "4",
number = "1",
pages = "1--36",
month = feb,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v4no1.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Park:2001:RBA,
author = "Joon S. Park and Ravi Sandhu and Gail-Joon Ahn",
title = "Role-based access control on the {Web}",
journal = j-TISSEC,
volume = "4",
number = "1",
pages = "37--71",
month = feb,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Smith:2001:CPH,
author = "Richard E. Smith",
title = "Cost Profile of a Highly Assured, Secure Operating
System",
journal = j-TISSEC,
volume = "4",
number = "1",
pages = "72--101",
month = feb,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/v4no1.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Shands:2001:SVE,
author = "Deborah Shands and Jay Jacobs and Richard Yee and E.
John Sebes",
title = "Secure Virtual Enclaves: Supporting Coalition Use of
Distributed Application Technologies",
journal = j-TISSEC,
volume = "4",
number = "2",
pages = "103--133",
month = may,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/contents/v4no2.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Steiner:2001:SPB,
author = "Michael Steiner and Peter Buhler and Thomas Eirich and
Michael Waidner",
title = "Secure Password-Based Cipher Suite for {TLS}",
journal = j-TISSEC,
volume = "4",
number = "2",
pages = "134--157",
month = may,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/contents/v4no2.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Jaeger:2001:PSF,
author = "Trent Jaeger and Jonathon E. Tidswell",
title = "Practical Safety in Flexible Access Control Models",
journal = j-TISSEC,
volume = "4",
number = "2",
pages = "158--190",
month = may,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:22 MST 2002",
bibsource = "http://www.acm.org/tissec/contents/v4no3.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bertino:2001:TTR,
author = "Elisa Bertino and Piero Andrea Bonatti and Elena
Ferrari",
title = "{TRBAC}: a Temporal Role-based Access Control Model",
journal = j-TISSEC,
volume = "4",
number = "3",
pages = "191--223",
month = aug,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:23 MST 2002",
bibsource = "http://www.acm.org/tissec/contents/v4no3.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ferraiolo:2001:PNS,
author = "David F. Ferraiolo and Ravi Sandhu and Serban Gavrila
and D. Richard Kuhn and Ramaswamy Chandramouli",
title = "Proposed {NIST} standard for role-based access
control",
journal = j-TISSEC,
volume = "4",
number = "3",
pages = "224--274",
month = aug,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:23 MST 2002",
bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Kaliski:2001:UKS,
author = "Burton S. Kaliski",
title = "An unknown key-share attack on the {MQV} key agreement
protocol",
journal = j-TISSEC,
volume = "4",
number = "3",
pages = "275--288",
month = aug,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:23 MST 2002",
bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Rodeh:2001:APS,
author = "Ohad Rodeh and Kenneth P. Birman and Danny Dolev",
title = "The Architecture and Performance of Security Protocols
in the {Ensemble Group Communication System}: Using
Diamonds to Guard the Castle",
journal = j-TISSEC,
volume = "4",
number = "3",
pages = "289--319",
month = aug,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:23 MST 2002",
bibsource = "http://www.acm.org/tissec/contents/v4no4.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bertino:2001:NTM,
author = "Elisa Bertino and Barbara Catania and Elena Ferrari",
title = "A Nested Transaction Model for Multilevel Secure
Database Management Systems",
journal = j-TISSEC,
volume = "4",
number = "4",
pages = "321--370",
month = nov,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:23 MST 2002",
bibsource = "http://www.acm.org/tissec/contents/v4no4.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Kihlstrom:2001:SGC,
author = "Kim Potter Kihlstrom and L. E. Moser and P. M.
Melliar-Smith",
title = "The SecureRing group communication system",
journal = j-TISSEC,
volume = "4",
number = "4",
pages = "371--406",
month = nov,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:23 MST 2002",
bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ning:2001:ABI,
author = "Peng Ning and Sushil Jajodia and Xiaoyang Sean Wang",
title = "Abstraction-based intrusion detection in distributed
environments",
journal = j-TISSEC,
volume = "4",
number = "4",
pages = "407--452",
month = nov,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:23 MST 2002",
bibsource = "http://www.acm.org/tissec/contents/v4no4.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Samarati:2001:AMP,
author = "Pierangela Samarati and Michael K. Reiter and Sushil
Jajodia",
title = "An authorization model for a public key management
service",
journal = j-TISSEC,
volume = "4",
number = "4",
pages = "453--482",
month = nov,
year = "2001",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 25 16:47:23 MST 2002",
bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bonatti:2002:ACA,
author = "Piero Bonatti and Sabrina {De Capitani di Vimercati}
and Pierangela Samarati",
title = "An Algebra for Composing Access Control Policies",
journal = j-TISSEC,
volume = "5",
number = "1",
pages = "1--35",
month = feb,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:35 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.acm.org/tissec/contents/v5no1.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bernaschi:2002:RSE,
author = "Massimo Bernaschi and Emanuele Gabrielli and Luigi V.
Mancini",
title = "{REMUS}: a Security-Enhanced Operating System",
journal = j-TISSEC,
volume = "5",
number = "1",
pages = "36--61",
month = feb,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:35 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.acm.org/tissec/contents/v5no1.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Atluri:2002:AMT,
author = "Vijayalakshmi Atluri and Avigdor Gal",
title = "An authorization model for temporal and derived data:
securing information portals",
journal = j-TISSEC,
volume = "5",
number = "1",
pages = "62--94",
month = feb,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:35 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Blaze:2002:TMI,
author = "Matt Blaze and John Ioannidis and Angelos D.
Keromytis",
title = "Trust Management for {IPsec}",
journal = j-TISSEC,
volume = "5",
number = "2",
pages = "95--118",
month = may,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jul 25 16:54:06 MDT 2001",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Dean:2002:AAI,
author = "Drew Dean and Matt Franklin and Adam Stubblefield",
title = "An Algebraic Approach to {IP} Traceback",
journal = j-TISSEC,
volume = "5",
number = "2",
pages = "119--137",
month = may,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:35 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.acm.org/tissec/contents/v5no3.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Rudys:2002:TLB,
author = "Algis Rudys and Dan S. Wallach",
title = "Termination in language-based systems",
journal = j-TISSEC,
volume = "5",
number = "2",
pages = "138--168",
month = may,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:35 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Damiani:2002:FGA,
author = "Ernesto Damiani and Sabrina {De Capitani di Vimercati}
and Stefano Paraboschi and Pierangela Samarati",
title = "A Fine-Grained Access Control System for {XML}
Documents",
journal = j-TISSEC,
volume = "5",
number = "2",
pages = "169--202",
month = may,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:35 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.acm.org/tissec/contents/v5no2.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Michael:2002:SSB,
author = "C. C. Michael and Anup Ghosh",
title = "Simple, state-based approaches to program-based
anomaly detection",
journal = j-TISSEC,
volume = "5",
number = "3",
pages = "203--237",
month = aug,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:36 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Viega:2002:TBS,
author = "John Viega and J. T. Bloch and Tadayoshi Kohno and
Gary McGraw",
title = "Token-based scanning of source code for security
problems",
journal = j-TISSEC,
volume = "5",
number = "3",
pages = "238--261",
month = aug,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:36 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "ITS4",
}
@Article{Loughry:2002:ILO,
author = "Joe Loughry and David A. Umphress",
title = "Information leakage from optical emanations",
journal = j-TISSEC,
volume = "5",
number = "3",
pages = "262--289",
month = aug,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:36 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bertino:2002:SSD,
author = "Elisa Bertino and Elena Ferrari",
title = "Secure and Selective Dissemination of {XML}
Documents",
journal = j-TISSEC,
volume = "5",
number = "3",
pages = "290--331",
month = aug,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:36 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.acm.org/tissec/contents/v5no2.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Koch:2002:GBF,
author = "Manuel Koch and Luigi V. Mancini and Francesco
Parisi-Presicce",
title = "A graph-based formalism for {RBAC}",
journal = j-TISSEC,
volume = "5",
number = "3",
pages = "332--365",
month = aug,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:36 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bergadano:2002:UAT,
author = "Francesco Bergadano and Daniele Gunetti and Claudia
Picardi",
title = "User authentication through keystroke dynamics",
journal = j-TISSEC,
volume = "5",
number = "4",
pages = "367--397",
month = nov,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:36 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Swift:2002:IGA,
author = "Michael M. Swift and Anne Hopkins and Peter Brundrett
and Cliff {Van Dyke} and Praerit Garg and Shannon Chan
and Mario Goertzel and Gregory Jensenworth",
title = "Improving the granularity of access control for
{Windows 2000}",
journal = j-TISSEC,
volume = "5",
number = "4",
pages = "398--437",
month = nov,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:36 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.acm.org/tissec/contents/v5no4.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Gordon:2002:EIS,
author = "Lawrence A. Gordon and Martin P. Loeb",
title = "The economics of information security investment",
journal = j-TISSEC,
volume = "5",
number = "4",
pages = "438--457",
month = nov,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:36 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Harbitter:2002:MAP,
author = "Alan Harbitter and Daniel A. Menasc{\'e}",
title = "A methodology for analyzing the performance of
authentication protocols",
journal = j-TISSEC,
volume = "5",
number = "4",
pages = "458--491",
month = nov,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:36 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bacon:2002:MOR,
author = "Jean Bacon and Ken Moody and Walt Yao",
title = "A model of {OASIS} role-based access control and its
support for active security",
journal = j-TISSEC,
volume = "5",
number = "4",
pages = "492--540",
month = nov,
year = "2002",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:36 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Yu:2003:SSC,
author = "Ting Yu and Marianne Winslett and Kent E. Seamons",
title = "Supporting structured credentials and sensitive
policies through interoperable strategies for automated
trust negotiation",
journal = j-TISSEC,
volume = "6",
number = "1",
pages = "1--42",
month = feb,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:37 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Halpern:2003:RBS,
author = "Joseph Y. Halpern and Riccardo Pucella",
title = "On the relationship between strand spaces and
multi-agent systems",
journal = j-TISSEC,
volume = "6",
number = "1",
pages = "43--70",
month = feb,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:37 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bertino:2003:LFR,
author = "Elisa Bertino and Barbara Catania and Elena Ferrari
and Paolo Perlasca",
title = "A Logical Framework for Reasoning about Access Control
Models",
journal = j-TISSEC,
volume = "6",
number = "1",
pages = "71--127",
month = feb,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:37 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.acm.org/tissec/contents/v5no4.html;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Li:2003:DLL,
author = "Ninghui Li and Benjamin N. Grosof and Joan
Feigenbaum",
title = "Delegation logic: a logic-based approach to
distributed authorization",
journal = j-TISSEC,
volume = "6",
number = "1",
pages = "128--171",
month = feb,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:37 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Chari:2003:BPD,
author = "Suresh N. Chari and Pau-Chen Cheng",
title = "{BlueBoX}: a policy-driven, host-based intrusion
detection system",
journal = j-TISSEC,
volume = "6",
number = "2",
pages = "173--200",
month = may,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:37 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Crampton:2003:ASF,
author = "Jason Crampton and George Loizou",
title = "Administrative scope: a foundation for role-based
administrative models",
journal = j-TISSEC,
volume = "6",
number = "2",
pages = "201--231",
month = may,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:37 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Karjoth:2003:ACI,
author = "G{\"u}nter Karjoth",
title = "Access control with {IBM Tivoli} access manager",
journal = j-TISSEC,
volume = "6",
number = "2",
pages = "232--257",
month = may,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:37 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Park:2003:EMS,
author = "Jung Min Park and Edwin K. P. Chong and Howard Jay
Siegel",
title = "Efficient multicast stream authentication using
erasure codes",
journal = j-TISSEC,
volume = "6",
number = "2",
pages = "258--285",
month = may,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:37 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Wijesekera:2003:PPA,
author = "Duminda Wijesekera and Sushil Jajodia",
title = "A propositional policy algebra for access control",
journal = j-TISSEC,
volume = "6",
number = "2",
pages = "286--325",
month = may,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Aug 7 09:02:37 MDT 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Jaeger:2003:PMU,
author = "Trent Jaeger and Xiaolan Zhang and Fidel Cacheda",
title = "Policy management using access control spaces",
journal = j-TISSEC,
volume = "6",
number = "3",
pages = "327--364",
month = aug,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 22 17:56:09 MST 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Rogaway:2003:OBC,
author = "Phillip Rogaway and Mihir Bellare and John Black",
title = "{OCB}: a block-cipher mode of operation for efficient
authenticated encryption",
journal = j-TISSEC,
volume = "6",
number = "3",
pages = "365--403",
month = aug,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 22 17:56:09 MST 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Zhang:2003:RBF,
author = "Longhua Zhang and Gail-Joon Ahn and Bei-Tseng Chu",
title = "A rule-based framework for role-based delegation and
revocation",
journal = j-TISSEC,
volume = "6",
number = "3",
pages = "404--441",
month = aug,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 22 17:56:09 MST 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Julisch:2003:CID,
author = "Klaus Julisch",
title = "Clustering intrusion detection alarms to support root
cause analysis",
journal = j-TISSEC,
volume = "6",
number = "4",
pages = "443--471",
month = nov,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 22 17:56:10 MST 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Persiano:2003:SPS,
author = "Pino Persiano and Ivan Visconti",
title = "A secure and private system for subscription-based
remote services",
journal = j-TISSEC,
volume = "6",
number = "4",
pages = "472--500",
month = nov,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 22 17:56:10 MST 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Barker:2003:FAC,
author = "Steve Barker and Peter J. Stuckey",
title = "Flexible access control policy specification with
constraint logic programming",
journal = j-TISSEC,
volume = "6",
number = "4",
pages = "501--546",
month = nov,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 22 17:56:10 MST 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ellison:2003:PKS,
author = "Carl Ellison and Steve Dohrmann",
title = "Public-key support for group collaboration",
journal = j-TISSEC,
volume = "6",
number = "4",
pages = "547--565",
month = nov,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 22 17:56:10 MST 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Thompson:2003:CBA,
author = "Mary R. Thompson and Abdelilah Essiari and Srilekha
Mudumbai",
title = "Certificate-based authorization policy in a {PKI}
environment",
journal = j-TISSEC,
volume = "6",
number = "4",
pages = "566--588",
month = nov,
year = "2003",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 22 17:56:10 MST 2003",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ateniese:2004:VED,
author = "Giuseppe Ateniese",
title = "Verifiable encryption of digital signatures and
applications",
journal = j-TISSEC,
volume = "7",
number = "1",
pages = "1--20",
month = feb,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Levi:2004:UNC,
author = "Albert Levi and M. Ufuk Caglayan and Cetin K. Koc",
title = "Use of nested certificates for efficient, dynamic, and
trust preserving public key infrastructure",
journal = j-TISSEC,
volume = "7",
number = "1",
pages = "21--59",
month = feb,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Kim:2004:TBG,
author = "Yongdae Kim and Adrian Perrig and Gene Tsudik",
title = "Tree-based group key agreement",
journal = j-TISSEC,
volume = "7",
number = "1",
pages = "60--96",
month = feb,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Montenegro:2004:CBI,
author = "Gabriel Montenegro and Claude Castelluccia",
title = "Crypto-based identifiers {(CBIDs)}: {Concepts} and
applications",
journal = j-TISSEC,
volume = "7",
number = "1",
pages = "97--127",
month = feb,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Park:2004:UUC,
author = "Jaehong Park and Ravi Sandhu",
title = "The {UCON$_{ABC}$} usage control model",
journal = j-TISSEC,
volume = "7",
number = "1",
pages = "128--174",
month = feb,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Jaeger:2004:CAA,
author = "Trent Jaeger and Antony Edwards and Xiaolan Zhang",
title = "Consistency analysis of authorization hook placement
in the {Linux} security modules framework",
journal = j-TISSEC,
volume = "7",
number = "2",
pages = "175--205",
month = may,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bellare:2004:BPR,
author = "Mihir Bellare and Tadayoshi Kohno and Chanathip
Namprempre",
title = "Breaking and provably repairing the {SSH}
authenticated encryption scheme: a case study of the
Encode-then-Encrypt-and-{MAC} paradigm",
journal = j-TISSEC,
volume = "7",
number = "2",
pages = "206--241",
month = may,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Aiello:2004:JFK,
author = "William Aiello and Steven M. Bellovin and Matt Blaze
and Ran Canetti and John Ioannidis and Angelos
D. Keromytis and Omer Reingold",
title = "Just fast keying: {Key} agreement in a hostile
{Internet}",
journal = j-TISSEC,
volume = "7",
number = "2",
pages = "242--273",
month = may,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ning:2004:TTA,
author = "Peng Ning and Yun Cui and Douglas S. Reeves and
Dingbang Xu",
title = "Techniques and tools for analyzing intrusion alerts",
journal = j-TISSEC,
volume = "7",
number = "2",
pages = "274--318",
month = may,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Stubblefield:2004:KRA,
author = "Adam Stubblefield and John Ioannidis and Aviel D.
Rubin",
title = "A key recovery attack on the 802.11b wired equivalent
privacy protocol {(WEP)}",
journal = j-TISSEC,
volume = "7",
number = "2",
pages = "319--332",
month = may,
year = "2004",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/996943.996948",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "In this paper, we present a practical key recovery
attack on WEP, the link-layer security protocol for
802.11b wireless networks. The attack is based on a
partial key exposure vulnerability in the RC4 stream
cipher discovered by Fluhrer, Mantin, and Shamir. This
paper describes how to apply this flaw to breaking WEP,
our implementation of the attack, and optimizations
that can be used to reduce the number of packets
required for the attack. We conclude that the 802.11b
WEP standard is completely insecure, and we provide
recommendations on how this vulnerability could be
mitigated and repaired.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Carrier:2004:STP,
author = "Brian Carrier and Clay Shields",
title = "The session token protocol for forensics and
traceback",
journal = j-TISSEC,
volume = "7",
number = "3",
pages = "333--362",
month = aug,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Wedde:2004:MAA,
author = "Horst F. Wedde and Mario Lischka",
title = "Modular authorization and administration",
journal = j-TISSEC,
volume = "7",
number = "3",
pages = "363--391",
month = aug,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Strembeck:2004:IAE,
author = "Mark Strembeck and Gustaf Neumann",
title = "An integrated approach to engineer and enforce context
constraints in {RBAC} environments",
journal = j-TISSEC,
volume = "7",
number = "3",
pages = "392--427",
month = aug,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Hess:2004:CTT,
author = "Adam Hess and Jason Holt and Jared Jacobson and Kent
E. Seamons",
title = "Content-triggered trust negotiation",
journal = j-TISSEC,
volume = "7",
number = "3",
pages = "428--456",
month = aug,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Amir:2004:PGK,
author = "Yair Amir and Yongdae Kim and Cristina Nita-Rotaru and
Gene Tsudik",
title = "On the performance of group key agreement protocols",
journal = j-TISSEC,
volume = "7",
number = "3",
pages = "457--488",
month = aug,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Nov 4 08:41:51 MST 2004",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Wright:2004:PAA,
author = "Matthew K. Wright and Micah Adler and Brian Neil
Levine and Clay Shields",
title = "The predecessor attack: an analysis of a threat to
anonymous communications systems",
journal = j-TISSEC,
volume = "7",
number = "4",
pages = "489--522",
month = nov,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Mar 24 15:53:55 MST 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Huang:2004:KCB,
author = "Dijiang Huang and Deep Medhi",
title = "A key-chain-based keying scheme for many-to-many
secure group communication",
journal = j-TISSEC,
volume = "7",
number = "4",
pages = "523--552",
month = nov,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Mar 24 15:53:55 MST 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Shacham:2004:CSC,
author = "Hovav Shacham and Dan Boneh and Eric Rescorla",
title = "Client-side caching for {TLS}",
journal = j-TISSEC,
volume = "7",
number = "4",
pages = "553--575",
month = nov,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Mar 24 15:53:55 MST 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Walcott:2004:TMR,
author = "Tom Walcott and Matt Bishop",
title = "Traducement: a model for record security",
journal = j-TISSEC,
volume = "7",
number = "4",
pages = "576--590",
month = nov,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Mar 24 15:53:55 MST 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ning:2004:HRA,
author = "Peng Ning and Dingbang Xu",
title = "Hypothesizing and reasoning about attacks missed by
intrusion detection systems",
journal = j-TISSEC,
volume = "7",
number = "4",
pages = "591--627",
month = nov,
year = "2004",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Mar 24 15:53:55 MST 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Sandhu:2005:E,
author = "Ravi Sandhu",
title = "Editorial",
journal = j-TISSEC,
volume = "8",
number = "1",
pages = "1--1",
month = feb,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Mar 24 15:53:55 MST 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Atluri:2005:P,
author = "Vijay Atluri",
title = "Preface",
journal = j-TISSEC,
volume = "8",
number = "1",
pages = "2--2",
month = feb,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Mar 24 15:53:55 MST 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Barrantes:2005:RIS,
author = "Elena Gabriela Barrantes and David H. Ackley and
Stephanie Forrest and Darko Stefanovi{\'c}",
title = "Randomized instruction set emulation",
journal = j-TISSEC,
volume = "8",
number = "1",
pages = "3--40",
month = feb,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Mar 24 15:53:55 MST 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Liu:2005:EPK,
author = "Donggang Liu and Peng Ning and Rongfang Li",
title = "Establishing pairwise keys in distributed sensor
networks",
journal = j-TISSEC,
volume = "8",
number = "1",
pages = "41--77",
month = feb,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Mar 24 15:53:55 MST 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Liu:2005:IBM,
author = "Peng Liu and Wanyu Zang and Meng Yu",
title = "Incentive-based modeling and inference of attacker
intent, objectives, and strategies",
journal = j-TISSEC,
volume = "8",
number = "1",
pages = "78--118",
month = feb,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Mar 24 15:53:55 MST 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ceselli:2005:MAI,
author = "Alberto Ceselli and Ernesto Damiani and Sabrina {De
Capitani Di Vimercati} and Sushil Jajodia and Stefano
Paraboschi and Pierangela Samarati",
title = "Modeling and assessing inference exposure in encrypted
databases",
journal = j-TISSEC,
volume = "8",
number = "1",
pages = "119--152",
month = feb,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Mar 24 15:53:55 MST 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ye:2005:TPB,
author = "Zishuang (Eileen) Ye and Sean Smith and Denise
Anthony",
title = "Trusted paths for browsers",
journal = j-TISSEC,
volume = "8",
number = "2",
pages = "153--186",
month = may,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jul 7 12:29:10 MDT 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bhatti:2005:XGX,
author = "Rafae Bhatti and Arif Ghafoor and Elisa Bertino and
James B. D. Joshi",
title = "{X-GTRBAC}: an {XML}-based policy specification
framework and architecture for enterprise-wide access
control",
journal = j-TISSEC,
volume = "8",
number = "2",
pages = "187--227",
month = may,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jul 7 12:29:10 MDT 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Du:2005:PKP,
author = "Wenliang Du and Jing Deng and Yunghsiang S. Han and
Pramod K. Varshney and Jonathan Katz and Aram Khalili",
title = "A pairwise key predistribution scheme for wireless
sensor networks",
journal = j-TISSEC,
volume = "8",
number = "2",
pages = "228--258",
month = may,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jul 7 12:29:10 MDT 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Zhou:2005:APS,
author = "Lidong Zhou and Fred B. Schneider and Robbert {Van
Renesse}",
title = "{APSS}: proactive secret sharing in asynchronous
systems",
journal = j-TISSEC,
volume = "8",
number = "3",
pages = "259--286",
month = aug,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Sep 17 15:42:03 MDT 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Dojen:2005:CLP,
author = "Reiner Dojen and Tom Coffey",
title = "The concept of layered proving trees and its
application to the automation of security protocol
verification",
journal = j-TISSEC,
volume = "8",
number = "3",
pages = "287--311",
month = aug,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Sep 17 15:42:03 MDT 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Gunetti:2005:KAF,
author = "Daniele Gunetti and Claudia Picardi",
title = "Keystroke analysis of free text",
journal = j-TISSEC,
volume = "8",
number = "3",
pages = "312--347",
month = aug,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Sep 17 15:42:03 MDT 2005",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ferrari:2005:GES,
author = "Elena Ferrari",
title = "Guest editorial: {Special} issue on access control
models and technologies",
journal = j-TISSEC,
volume = "8",
number = "4",
pages = "349--350",
month = nov,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jan 10 07:44:45 MST 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Zhang:2005:FMP,
author = "Xinwen Zhang and Francesco Parisi-Presicce and Ravi
Sandhu and Jaehong Park",
title = "Formal model and policy specification of usage
control",
journal = j-TISSEC,
volume = "8",
number = "4",
pages = "351--387",
month = nov,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jan 10 07:44:45 MST 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bhatti:2005:XGA,
author = "Rafae Bhatti and Basit Shafiq and Elisa Bertino and
Arif Ghafoor and James B. D. Joshi",
title = "{X-gtrbac} admin: a decentralized administration model
for enterprise-wide access control",
journal = j-TISSEC,
volume = "8",
number = "4",
pages = "388--423",
month = nov,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jan 10 07:44:45 MST 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Hengartner:2005:ACP,
author = "Urs Hengartner and Peter Steenkiste",
title = "Access control to people location information",
journal = j-TISSEC,
volume = "8",
number = "4",
pages = "424--456",
month = nov,
year = "2005",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jan 10 07:44:45 MST 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ateniese:2006:IPR,
author = "Giuseppe Ateniese and Kevin Fu and Matthew Green and
Susan Hohenberger",
title = "Improved proxy re-encryption schemes with applications
to secure distributed storage",
journal = j-TISSEC,
volume = "9",
number = "1",
pages = "1--30",
month = feb,
year = "2006",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Apr 29 09:23:50 MDT 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Malvestuto:2006:ASQ,
author = "Francesco M. Malvestuto and Mauro Mezzini and Marina
Moscarini",
title = "Auditing sum-queries to make a statistical database
secure",
journal = j-TISSEC,
volume = "9",
number = "1",
pages = "31--60",
month = feb,
year = "2006",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Apr 29 09:23:50 MDT 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Mutz:2006:ASC,
author = "Darren Mutz and Fredrik Valeur and Giovanni Vigna and
Christopher Kruegel",
title = "Anomalous system call detection",
journal = j-TISSEC,
volume = "9",
number = "1",
pages = "61--93",
month = feb,
year = "2006",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Apr 29 09:23:50 MDT 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Futoransky:2006:FAS,
author = "Ariel Futoransky and Emiliano Kargieman and Carlos
Sarraute and Ariel Waissbein",
title = "Foundations and applications for secure triggers",
journal = j-TISSEC,
volume = "9",
number = "1",
pages = "94--112",
month = feb,
year = "2006",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Apr 29 09:23:50 MDT 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Oh:2006:ERA,
author = "Sejong Oh and Ravi Sandhu and Xinwen Zhang",
title = "An effective role administration model using
organization structure",
journal = j-TISSEC,
volume = "9",
number = "2",
pages = "113--137",
month = may,
year = "2006",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1151414.1151415",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Aug 26 08:10:38 MDT 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bella:2006:APF,
author = "Giampaolo Bella and Lawrence C. Paulson",
title = "Accountability protocols: {Formalized} and verified",
journal = j-TISSEC,
volume = "9",
number = "2",
pages = "138--161",
month = may,
year = "2006",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1151414.1151416",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Aug 26 08:10:38 MDT 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Chandramouli:2006:BPA,
author = "R. Chandramouli and S. Bapatla and K. P. Subbalakshmi
and R. N. Uma",
title = "Battery power-aware encryption",
journal = j-TISSEC,
volume = "9",
number = "2",
pages = "162--180",
month = may,
year = "2006",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1151414.1151417",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Aug 26 08:10:38 MDT 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Minimizing power consumption is crucial in battery
power-limited secure wireless mobile networks. In this
paper, we (a) introduce a hardware/software set-up to
measure the battery power consumption of encryption
algorithms through real-life experimentation, (b) based
on the profiled data, propose mathematical models to
capture the relationships between power consumption and
security, and (c) formulate and solve security
maximization subject to power constraints. Numerical
results are presented to illustrate the gains that can
be achieved in using solutions of the proposed security
maximization problems subject to power constraints.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Gennaro:2006:FPB,
author = "Rosario Gennaro and Yehuda Lindell",
title = "A framework for password-based authenticated key
exchange",
journal = j-TISSEC,
volume = "9",
number = "2",
pages = "181--234",
month = may,
year = "2006",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1151414.1151418",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Aug 26 08:10:38 MDT 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "In this paper, we present a general framework for
password-based authenticated key exchange protocols, in
the common reference string model. Our protocol is
actually an abstraction of the key exchange protocol of
Katz et al. and is based on the recently introduced
notion of smooth projective hashing by Cramer and
Shoup. We gain a number of benefits from this
abstraction. First, we obtain a modular protocol that
can be described using just three high-level
cryptographic tools. This allows a simple and intuitive
understanding of its security. Second, our proof of
security is significantly simpler and more modular.
Third, we are able to derive analogs to the Katz et al.
protocol under additional cryptographic assumptions.
Specifically, in addition to the DDH assumption used by
Katz et al., we obtain protocols under both the
quadratic and N-residuosity assumptions. In order to
achieve this, we construct new smooth projective hash
functions.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{VanOorschot:2006:COD,
author = "Paul C. {Van Oorschot} and Stuart Stubblebine",
title = "On countering online dictionary attacks with login
histories and humans-in-the-loop",
journal = j-TISSEC,
volume = "9",
number = "3",
pages = "235--258",
month = aug,
year = "2006",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Nov 15 06:44:34 MST 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{McDaniel:2006:MLS,
author = "Patrick McDaniel and Atul Prakash",
title = "Methods and limitations of security policy
reconciliation",
journal = j-TISSEC,
volume = "9",
number = "3",
pages = "259--291",
month = aug,
year = "2006",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Nov 15 06:44:34 MST 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Murata:2006:XAC,
author = "Makoto Murata and Akihiko Tozawa and Michiharu Kudo
and Satoshi Hada",
title = "{XML} access control using static analysis",
journal = j-TISSEC,
volume = "9",
number = "3",
pages = "292--324",
month = aug,
year = "2006",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Nov 15 06:44:34 MST 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Kogan:2006:PRS,
author = "Noam Kogan and Yuval Shavitt and Avishai Wool",
title = "A practical revocation scheme for broadcast encryption
using smartcards",
journal = j-TISSEC,
volume = "9",
number = "3",
pages = "325--351",
month = aug,
year = "2006",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Nov 15 06:44:34 MST 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Winsborough:2006:SAT,
author = "William H. Winsborough and Ninghui Li",
title = "Safety in automated trust negotiation",
journal = j-TISSEC,
volume = "9",
number = "3",
pages = "352--390",
month = aug,
year = "2006",
CODEN = "ATISBQ",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Nov 15 06:44:34 MST 2006",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Li:2006:SAR,
author = "Ninghui Li and Mahesh V. Tripunitara",
title = "Security analysis in role-based access control",
journal = j-TISSEC,
volume = "9",
number = "4",
pages = "391--420",
month = nov,
year = "2006",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1187441.1187442",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:51:51 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The administration of large role-based access control
(RBAC) systems is a challenging problem. In order to
administer such systems, decentralization of
administration tasks by the use of delegation is an
effective approach. While the use of delegation greatly
enhances flexibility and scalability, it may reduce the
control that an organization has over its resources,
thereby diminishing a major advantage RBAC has over
discretionary access control (DAC). We propose to use
security analysis techniques to maintain desirable
security properties while delegating administrative
privileges. We give a precise definition of a family of
security analysis problems in RBAC, which is more
general than safety analysis that is studied in the
literature. We show that two classes of problems in the
family can be reduced to similar analysis in the
RT[$\leftarrow,\cap$] role-based trust-management
language, thereby establishing an interesting
relationship between RBAC and the RT framework. The
reduction gives efficient algorithms for answering most
kinds of queries in these two classes and establishes
the complexity bounds for the intractable cases.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "delegation; role-based access control; role-based
administration; trust management",
}
@Article{Mella:2006:CCU,
author = "Giovanni Mella and Elena Ferrari and Elisa Bertino and
Yunhua Koglin",
title = "Controlled and cooperative updates of {XML} documents
in {Byzantine} and failure-prone distributed systems",
journal = j-TISSEC,
volume = "9",
number = "4",
pages = "421--460",
month = nov,
year = "2006",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1187441.1187443",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:51:51 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "This paper proposes an infrastructure and related
algorithms for the controlled and cooperative updates
of XML documents. Key components of the proposed system
are a set of XML-based languages for specifying
access-control policies and the path that the document
must follow during its update. Such path can be fully
specified before the update process begins or can be
dynamically modified by properly authorized subjects
while being transmitted. Our approach is fully
distributed in that each party involved in the process
can verify the correctness of the operations performed
until that point on the document without relying on a
central authority. More importantly, the recovery
procedure also does not need the participation of a
central authority. Our approach is based on the use of
some special control information that is transmitted
together with the document and a suite of protocols. We
formally specify the structure of such control
information and the protocols. We also analyze security
and complexity of the proposed protocols.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "Byzantine and distributed systems; policy languages;
updates; XML documents",
}
@Article{Kogan:2006:IER,
author = "Noam Kogan and Tamir Tassa",
title = "Improved efficiency for revocation schemes via
{Newton} interpolation",
journal = j-TISSEC,
volume = "9",
number = "4",
pages = "461--486",
month = nov,
year = "2006",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1187441.1187444",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:51:51 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We present a novel way to implement the
secret-sharing-based family of revocation schemes of
Naor and Pinkas [2003]. The basic scheme of [Naor and
Pinkas 2000] uses Shamir's polynomial secret-sharing to
revoke up to r users, where r is the degree of the
secret-sharing polynomial, and it is information
theoretically secure against coalitions of up to r
collaborators. The nonrevoked users use Lagrange
interpolation in order to compute the new key. Our
basic scheme uses a novel modification of Shamir's
polynomial secret-sharing: The secret equals the
leading coefficient of the polynomial (as opposed to
the free coefficient as in the original scheme) and the
polynomial is reconstructed by Newton interpolation
(rather than Lagrange interpolation). Comparing our
scheme to one variant of the Naor--Pinkas scheme, we
offer revocation messages that are shorter by a factor
of almost 2, while the computation cost at the user end
is smaller by a constant factor of approximately 13/2.
Comparing to a second variant of the Naor--Pinkas
scheme, our scheme offers a reduction of O ( r ) in the
computation cost at the user end, without affecting any
of the other performance parameters. We then extend our
basic scheme to perform multiround revocation for
stateless and stateful receivers, along the lines
offered by Naor and Pinkas [2000] and Kogan et al.
[2003]. We show that using Newton rather than Lagrange
interpolants enables a significantly more efficient
transmission of the new revocation message and shorter
response time for each round. Pay TV systems that
implement broadcast encryption techniques can benefit
significantly from the improved efficiency offered by
our revocation schemes.",
acknowledgement = ack-nhfb,
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "broadcast encryption; Newton interpolation; secret
sharing; User revocation",
}
@Article{Ahn:2007:GES,
author = "Gail-Joon Ahn",
title = "Guest editorial: {Special} issue on access control
models and technologies",
journal = j-TISSEC,
volume = "10",
number = "1",
pages = "1:1--1:??",
month = feb,
year = "2007",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1210263.1216576",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:51:58 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "1",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Damiani:2007:GRS,
author = "Maria Luisa Damiani and Elisa Bertino and Barbara
Catania and Paolo Perlasca",
title = "{GEO-RBAC}: a spatially aware {RBAC}",
journal = j-TISSEC,
volume = "10",
number = "1",
pages = "2:1--2:??",
month = feb,
year = "2007",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1210263.1210265",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:51:58 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Securing access to data in location-based services and
mobile applications requires the definition of
spatially aware access-control systems. Even if some
approaches have already been proposed either in the
context of geographic database systems or context-aware
applications, a comprehensive framework, general and
flexible enough to deal with spatial aspects in real
mobile applications, is still missing. In this paper,
we make one step toward this direction and present
GEO-RBAC, an extension of the RBAC model enhanced with
spatial-and location-based information. In GEORBAC,
spatial entities are used to model objects, user
positions, and geographically bounded roles. Roles are
activated based on the position of the user. Besides a
physical position, obtained from a given mobile
terminal or a cellular phone, users are also assigned a
logical and device-independent position, representing
the feature (the road, the town, the region) in which
they are located. To enhance flexibility and
reusability, we also introduce the concept of role
schema, specifying the name of the role, as well as the
type of the role spatial boundary and the granularity
of the logical position. We then extend GEO-RBAC to
support hierarchies, modeling permission, user, and
activation inheritance, and separation of duty
constraints. The proposed classes of constraints extend
the conventional ones to deal with different
granularities (schema/instance level) and spatial
information. We conclude the paper with an analysis of
several properties concerning the resulting model.",
acknowledgement = ack-nhfb,
articleno = "2",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "access-control model; GIS; location-based services",
}
@Article{Iwaihara:2007:RBA,
author = "Mizuho Iwaihara and Ryotaro Hayashi and Somchai
Chatvichienchai and Chutiporn Anutariya and Vilas
Wuwongse",
title = "Relevancy-based access control and its evaluation on
versioned {XML} documents",
journal = j-TISSEC,
volume = "10",
number = "1",
pages = "3:1--3:??",
month = feb,
year = "2007",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1210263.1210266",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:51:58 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Integration of version and access control of XML
documents has the benefit of regulating access to
rapidly growing archives of XML documents. Versioned
XML documents provide us with valuable information on
dependencies between document nodes, but, at the same
time, presenting the risk of undesirable data
disclosure. In this article, we introduce the notion of
relevancy-based access control, which realizes
protection of versioned XML documents by various types
of relevancy, such as version dependencies, schema
similarities, and temporal proximity. We define a new
path query language XVerPath over XML document
versions, which can be utilized for specifying
relevancy-based access-control policies. We also
introduce the notion of relevancy class, for
collectively and compactly specifying relevancy-based
policies. Regarding efficient processing of access
requests, we propose the packed version model, which
realizes space-efficient difference-based archives of
versioned XML documents and, at the same time,
providing efficient evaluation of XVerPath queries.
Experimental results show reasonable performance
superiority over conventional methods, which do not
utilize version differences.",
acknowledgement = ack-nhfb,
articleno = "3",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "access control; query language; security; version
control; XML; XPath",
}
@Article{Zhou:2007:MNI,
author = "Jingmin Zhou and Mark Heckman and Brennen Reynolds and
Adam Carlson and Matt Bishop",
title = "Modeling network intrusion detection alerts for
correlation",
journal = j-TISSEC,
volume = "10",
number = "1",
pages = "4:1--4:??",
month = feb,
year = "2007",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1210263.1210267",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:51:58 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Signature-based network intrusion-detection systems
(NIDSs) often report a massive number of simple alerts
of low-level security-related events. Many of these
alerts are logically involved in a single multi-stage
intrusion incident and a security officer often wants
to analyze the complete incident instead of each
individual simple alert. This paper proposes a
well-structured model that abstracts the logical
relation between the alerts in order to support
automatic correlation of those alerts involved in the
same intrusion. The basic building block of the model
is a logical formula called a capability. We use
capability to abstract consistently and precisely all
levels of accesses obtained by the attacker in each
step of a multistage intrusion. We then derive
inference rules to define logical relations between
different capabilities. Based on the model and the
inference rules, we have developed several novel alert
correlation algorithms and implemented a prototype
alert correlator. The experimental results of the
correlator using several intrusion datasets demonstrate
that the approach is effective in both alert fusion and
alert correlation and has the ability to correlate
alerts of complex multistage intrusions. In several
instances, the alert correlator successfully correlated
more than two thousand Snort alerts involved in massive
scanning incidents. It also helped us find two
multistage intrusions that were missed in auditing by
the security officers.",
acknowledgement = ack-nhfb,
articleno = "4",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "alert correlation; alert fusion; capability; intrusion
detection",
}
@Article{Li:2007:MER,
author = "Ninghui Li and Mahesh V. Tripunitara and Ziad Bizri",
title = "On mutually exclusive roles and separation-of-duty",
journal = j-TISSEC,
volume = "10",
number = "2",
pages = "5:1--5:??",
month = may,
year = "2007",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1237500.1237501",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:05 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Separation-of-duty (SoD) is widely considered to be a
fundamental principle in computer security. A static
SoD (SSoD) policy states that in order to have all
permissions necessary to complete a sensitive task, the
cooperation of at least a certain number of users is
required. Role-based access control (RBAC) is today's
dominant access-control model. It is widely believed
that one of RBAC's main strengths is that it enables
the use of constraints to support policies, such as
separation-of-duty. In the literature on RBAC,
statically mutually exclusive roles (SMER) constraints
are used to enforce SSoD policies. In this paper, we
formulate and study fundamental computational problems
related to the use of SMER constraints to enforce SSoD
policies. We show that directly enforcing SSoD policies
is intractable (coNP-complete), while checking whether
an RBAC state satisfies a set of SMER constraints is
efficient; however, verifying whether a given set of
SMER constraints enforces an SSoD policy is also
intractable (coNP-complete). We discuss the
implications of these results. We show also how to
generate SMER constraints that are as accurate as
possible for enforcing an SSoD policy.",
acknowledgement = ack-nhfb,
articleno = "5",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "computational complexity; constraints; role-based
access control; separation-of-duty; verification",
}
@Article{Peng:2007:BZK,
author = "Kun Peng and Colin Boyd and Ed Dawson",
title = "Batch zero-knowledge proof and verification and its
applications",
journal = j-TISSEC,
volume = "10",
number = "2",
pages = "6:1--6:??",
month = may,
year = "2007",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1237500.1237502",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:05 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The batch verification technique of Bellare et al. is
extended to verification of several frequently employed
zero-knowledge proofs. The new techniques are correct,
sound, efficient, and can be widely applied. Specific
applications are discussed in detail, including batch
ZK proof and verification of validity of encryption (or
reencryption) and batch ZK proof and verification of
validity of decryption. Considerable efficiency
improvements are gained in these two applications
without compromising security. As a result, efficiency
of the practical cryptographic systems (such as mix
networks) based on these two applications is
dramatically improved.",
acknowledgement = ack-nhfb,
articleno = "6",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "batch proof and verification of decryption; batch
proof and verification of reencryption; mix network",
}
@Article{Ahmed:2007:SVS,
author = "Tanvir Ahmed and Anand R. Tripathi",
title = "Specification and verification of security
requirements in a programming model for decentralized
{CSCW} systems",
journal = j-TISSEC,
volume = "10",
number = "2",
pages = "7:1--7:??",
month = may,
year = "2007",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1237500.1237503",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:05 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We present, in this paper, a role-based model for
programming distributed CSCW systems. This model
supports specification of dynamic security and
coordination requirements in such systems. We also
present here a model-checking methodology for verifying
the security properties of a design expressed in this
model. The verification methodology presented here is
used to ensure correctness and consistency of a design
specification. It is also used to ensure that sensitive
security requirements cannot be violated when policy
enforcement functions are distributed among the
participants. Several aspect-specific verification
models are developed to check security properties, such
as task-flow constraints, information flow,
confidentiality, and assignment of administrative
privileges.",
acknowledgement = ack-nhfb,
articleno = "7",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "finite state-based model checking; methodology for
access-control policy design; role-based access
control; Security policy specification",
}
@Article{Bhargavan:2007:SSW,
author = "Karthikeyan Bhargavan and Ricardo Corin and C{\'e}dric
Fournet and Andrew D. Gordon",
title = "Secure sessions for {Web} services",
journal = j-TISSEC,
volume = "10",
number = "2",
pages = "8:1--8:??",
month = may,
year = "2007",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1237500.1237504",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:05 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We address the problem of securing sequences of SOAP
messages exchanged between web services and their
clients. The WS-Security standard defines basic
mechanisms to secure SOAP traffic, one message at a
time. For typical web services, however, using
WS-Security independently for each message is rather
inefficient; moreover, it is often important to secure
the integrity of a whole session, as well as each
message. To these ends, recent specifications provide
further SOAP-level mechanisms. WS-SecureConversation
defines security contexts, which can be used to secure
sessions between two parties. WS-Trust specifies how
security contexts are issued and obtained. We develop a
semantics for the main mechanisms of WS-Trust and
WS-SecureConversation, expressed as a library for
TulaFale, a formal scripting language for security
protocols. We model typical protocols relying on these
mechanisms and automatically prove their main security
properties. We also informally discuss some pitfalls
and limitations of these specifications.",
acknowledgement = ack-nhfb,
articleno = "8",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "Web services; XML security",
}
@Article{Abadi:2007:JFK,
author = "Mart{\'\i}n Abadi and Bruno Blanchet and C{\'e}dric
Fournet",
title = "Just fast keying in the pi calculus",
journal = j-TISSEC,
volume = "10",
number = "3",
pages = "9:1--9:??",
month = jul,
year = "2007",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1266977.1266978",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:14 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "JFK is a recent, attractive protocol for fast key
establishment as part of securing IP communication. In
this paper, we formally analyze this protocol in the
applied pi calculus (partly in terms of observational
equivalences and partly with the assistance of an
automatic protocol verifier). We treat JFK's core
security properties and also other properties that are
rarely articulated and rigorously studied, such as
plausible deniability and resistance to
denial-of-service attacks. In the course of this
analysis, we found some ambiguities and minor problems,
such as limitations in identity protection, but we
mostly obtain positive results about JFK. For this
purpose, we develop ideas and techniques that should be
more generally useful in the specification and
verification of security protocols.",
acknowledgement = ack-nhfb,
articleno = "9",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "IP security; key exchange; process calculus",
}
@Article{Bresson:2007:PSA,
author = "Emmanuel Bresson and Olivier Chevassut and David
Pointcheval",
title = "Provably secure authenticated group {Diffie--Hellman}
key exchange",
journal = j-TISSEC,
volume = "10",
number = "3",
pages = "10:1--10:??",
month = jul,
year = "2007",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1266977.1266979",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:14 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Authenticated key-exchange protocols allow two
participants A and B, communicating over a public
network and each holding an authentication means to
exchange a shared secret value. Methods designed to
deal with this cryptographic problem ensure A (resp. B
) that no other participants aside from B (resp. A )
can learn any information about the agreed value and
often also ensure A and B that their respective partner
has actually computed this value. A natural extension
to this cryptographic method is to consider a pool of
participants exchanging a shared secret value and to
provide a formal treatment for it. Starting from the
famous two-party Diffie--Hellman (DH) key-exchange
protocol and from its authenticated variants, security
experts have extended it to the multiparty setting for
over a decade and, in the past few years, completed a
formal analysis in the framework of modern
cryptography. The present paper synthesizes this body
of work on the provably-secure authenticated group DH
key exchange.",
acknowledgement = ack-nhfb,
articleno = "10",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "cryptography; Diffie--Hellman; Group Key Exchange",
}
@Article{vanOorschot:2007:IRS,
author = "P. C. van Oorschot and Tao Wan and Evangelos
Kranakis",
title = "On interdomain routing security and pretty secure {BGP
(psBGP)}",
journal = j-TISSEC,
volume = "10",
number = "3",
pages = "11:1--11:??",
month = jul,
year = "2007",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1266977.1266980",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:14 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "It is well known that the Border Gateway Protocol
(BGP), the IETF standard interdomain routing protocol,
is vulnerable to a variety of attacks, and that a
single misconfigured or malicious BGP speaker could
result in large-scale service disruption. In this
paper, we present Pretty Secure BGP (psBGP) ---a
proposal for securing BGP, including an architectural
overview, design details for significant aspects, and
preliminary security and operational analysis. psBGP
differs from other security proposals (e. g. , S-BGP
and soBGP) in that it makes use of a single-level PKI
for AS number authentication, a decentralized trust
model for verifying the propriety of IP prefix origin,
and a rating-based stepwise approach for AS\_PATH
(integrity) verification. psBGP trades off the strong
security guarantees of S-BGP for presumed-simpler
operation, e. g. , using a PKI with a simple structure,
with a small number of certificate types, and of
manageable size. psBGP is designed to successfully
defend against various (nonmalicious and malicious)
threats from uncoordinated BGP speakers, and to be
incrementally deployed with incremental benefits.",
acknowledgement = ack-nhfb,
articleno = "11",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "authentication; BGP; certificates; interdomain
routing; public-key infrastructure; secure routing
protocols; trust",
}
@Article{Squicciarini:2007:PTX,
author = "A. Squicciarini and E. Bertino and Elena Ferrari and
F. Paci and B. Thuraisingham",
title = "{PP-trust-X}: a system for privacy preserving trust
negotiations",
journal = j-TISSEC,
volume = "10",
number = "3",
pages = "12:1--12:??",
month = jul,
year = "2007",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1266977.1266981",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:14 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Trust negotiation is a promising approach for
establishing trust in open systems, in which sensitive
interactions may often occur between entities with no
prior knowledge of each other. Although, to date
several trust negotiation systems have been proposed,
none of them fully address the problem of privacy
preservation. Today, privacy is one of the major
concerns of users when exchanging information through
the Web and thus we believe that trust negotiation
systems must effectively address privacy issues in
order to be widely applicable. For these reasons, in
this paper, we investigate privacy in the context of
trust negotiations. We propose a set of
privacy-preserving features for inclusion in any trust
negotiation system, such as the support for the P3P
standard, as well as a number of innovative features,
such as a novel format for encoding digital credentials
specifically designed for preserving privacy. Further,
we present a variety of interoperable strategies to
carry on the negotiation with the aim of improving both
privacy and efficiency.",
acknowledgement = ack-nhfb,
articleno = "12",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "access control; attribute-based access control;
automated trust negotiation; credentials; privacy;
strategy",
}
@Article{Chakrabarti:2008:ETR,
author = "Deepayan Chakrabarti and Yang Wang and Chenxi Wang and
Jurij Leskovec and Christos Faloutsos",
title = "Epidemic thresholds in real networks",
journal = j-TISSEC,
volume = "10",
number = "4",
pages = "1:1--1:??",
month = jan,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1284680.1284681",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:24 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "How will a virus propagate in a real network? How long
does it take to disinfect a network given particular
values of infection rate and virus death rate? What is
the single best node to immunize? Answering these
questions is essential for devising network-wide
strategies to counter viruses. In addition, viral
propagation is very similar in principle to the spread
of rumors, information, and ``fads,'' implying that the
solutions for viral propagation would also offer
insights into these other problem settings. We answer
these questions by developing a nonlinear dynamical
system ( NLDS ) that accurately models viral
propagation in any arbitrary network, including real
and synthesized network graphs. We propose a general
epidemic threshold condition for the NLDS system: we
prove that the epidemic threshold for a network is
exactly the inverse of the largest eigenvalue of its
adjacency matrix. Finally, we show that below the
epidemic threshold, infections die out at an
exponential rate. Our epidemic threshold model subsumes
many known thresholds for special-case graphs (e.g.,
Erd{\H{o}}s--R{\'e}nyi, BA powerlaw, homogeneous). We
demonstrate the predictive power of our model with
extensive experiments on real and synthesized graphs,
and show that our threshold condition holds for
arbitrary graphs. Finally, we show how to utilize our
threshold condition for practical uses: It can dictate
which nodes to immunize; it can assess the effects of a
throttling policy; it can help us design network
topologies so that they are more resistant to
viruses.",
acknowledgement = ack-nhfb,
articleno = "1",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "eigenvalue; epidemic threshold; viral propagation",
}
@Article{Joshi:2008:FFH,
author = "James B. D. Joshi and Elisa Bertino and Arif Ghafoor
and Yue Zhang",
title = "Formal foundations for hybrid hierarchies in
{GTRBAC}",
journal = j-TISSEC,
volume = "10",
number = "4",
pages = "2:1--2:??",
month = jan,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1284680.1284682",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:24 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "A role hierarchy defines permission acquisition and
role-activation semantics through role--role
relationships. It can be utilized for efficiently and
effectively structuring functional roles of an
organization having related access-control needs. The
focus of this paper is the analysis of hybrid role
hierarchies in the context of the generalized temporal
role-based access control (GTRBAC) model that allows
specification of a comprehensive set of temporal
constraints on role, user-role, and role-permission
assignments. We introduce the notion of uniquely
activable set (UAS) associated with a role hierarchy
that indicates the access capabilities of a user
resulting from his membership to a role in the
hierarchy. Identifying such a role set is essential,
while making an authorization decision about whether or
not a user should be allowed to activate a particular
combination of roles in a single session. We formally
show how UAS can be determined for a hybrid hierarchy.
Furthermore, within a hybrid hierarchy, various
hierarchical relations may be derived between an
arbitrary pair of roles. We present a set of inference
rules that can be used to generate all the possible
derived relations that can be inferred from a specified
set of hierarchical relations and show that it is sound
and complete. We also present an analysis of hierarchy
transformations with respect to role addition,
deletion, and partitioning, and show how various cases
of these transformations allow the original permission
acquisition and role-activation semantics to be
managed. The formal results presented here provide a
basis for developing efficient security administration
and management tools.",
acknowledgement = ack-nhfb,
articleno = "2",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "derived relation; role hierarchy",
}
@Article{Gassend:2008:CPR,
author = "Blaise Gassend and Marten {Van Dijk} and Dwaine Clarke
and Emina Torlak and Srinivas Devadas and Pim Tuyls",
title = "Controlled physical random functions and
applications",
journal = j-TISSEC,
volume = "10",
number = "4",
pages = "3:1--3:??",
month = jan,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1284680.1284683",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:24 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The cryptographic protocols that we use in everyday
life rely on the secure storage of keys in consumer
devices. Protecting these keys from invasive attackers,
who open a device to steal its key, is a challenging
problem. We propose controlled physical random
functions (CPUFs) as an alternative to storing keys and
describe the core protocols that are needed to use
CPUFs. A physical random functions (PUF) is a physical
system with an input and output. The functional
relationship between input and output looks like that
of a random function. The particular relationship is
unique to a specific instance of a PUF, hence, one
needs access to a particular PUF instance to evaluate
the function it embodies. The cryptographic
applications of a PUF are quite limited unless the PUF
is combined with an algorithm that limits the ways in
which the PUF can be evaluated; this is a CPUF. A major
difficulty in using CPUFs is that you can only know a
small set of outputs of the PUF---the unknown outputs
being unrelated to the known ones. We present protocols
that get around this difficulty and allow a chain of
trust to be established between the CPUF manufacturer
and a party that wishes to interact securely with the
PUF device. We also present some elementary
applications, such as certified execution.",
acknowledgement = ack-nhfb,
articleno = "3",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "certified execution; physical random function;
physical security; physical unclonable function;
trusted computing",
}
@Article{Bouganim:2008:DAC,
author = "Luc Bouganim and Fran{\c{c}}ois Dang Ngoc and Philippe
Pucheral",
title = "Dynamic access-control policies on {XML} encrypted
data",
journal = j-TISSEC,
volume = "10",
number = "4",
pages = "4:1--4:??",
month = jan,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1284680.1284684",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:24 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The erosion of trust put in traditional database
servers and in Database Service Providers and the
growing interest for different forms of selective data
dissemination are different factors that lead to move
the access-control from servers to clients. Different
data encryption and key dissemination schemes have been
proposed to serve this purpose. By compiling the
access-control rules into the encryption process, all
these methods suffer from a static way of sharing data.
With the emergence of hardware security elements on
client devices, more dynamic client-based
access-control schemes can be devised. This paper
proposes a tamper-resistant client-based XML
access-right controller supporting flexible and dynamic
access-control policies. The access-control engine is
embedded in a hardware-secure device and, therefore,
must cope with specific hardware resources. This engine
benefits from a dedicated index to quickly converge
toward the authorized parts of a potentially streaming
XML document. Pending situations (i. e. , where data
delivery is conditioned by predicates, which apply to
values encountered afterward in the document stream)
are handled gracefully, skipping, whenever possible the
pending elements and reassembling relevant parts when
the pending situation is solved. Additional security
mechanisms guarantee that (1) the input document is
protected from any form of tampering and (2) no
forbidden information can be gained by replay attacks
on different versions of the XML document and of the
access-control rules. Performance measurements on
synthetic and real datasets demonstrate the
effectiveness of the approach. Finally, the paper
reports on two experiments conducted with a prototype
running on a secured hardware platform.",
acknowledgement = ack-nhfb,
articleno = "4",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "access-control; data confidentiality; smartcard;
ubiquitous data management",
}
@Article{vanOorschot:2008:PMU,
author = "P. C. van Oorschot and Julie Thorpe",
title = "On predictive models and user-drawn graphical
passwords",
journal = j-TISSEC,
volume = "10",
number = "4",
pages = "5:1--5:??",
month = jan,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1284680.1284685",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:24 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "In commonplace text-based password schemes, users
typically choose passwords that are easy to recall,
exhibit patterns, and are thus vulnerable to
brute-force dictionary attacks. This leads us to ask
whether other types of passwords (e. g. , graphical)
are also vulnerable to dictionary attack because of
users tending to choose memorable passwords. We suggest
a method to predict and model a number of such classes
for systems where passwords are created solely from a
user's memory. We hypothesize that these classes define
weak password subspaces suitable for an attack
dictionary. For user-drawn graphical passwords, we
apply this method with cognitive studies on visual
recall. These cognitive studies motivate us to define a
set of password complexity factors (e. g. , reflective
symmetry and stroke count), which define a set of
classes. To better understand the size of these classes
and, thus, how weak the password subspaces they define
might be, we use the ``Draw-A-Secret'' (DAS) graphical
password scheme of Jermyn et al. [1999] as an example.
We analyze the size of these classes for DAS under
convenient parameter choices and show that they can be
combined to define apparently popular subspaces that
have bit sizes ranging from 31 to 41---a surprisingly
small proportion of the full password space (58 bits).
Our results quantitatively support suggestions that
user-drawn graphical password systems employ measures,
such as graphical password rules or guidelines and
proactive password checking.",
acknowledgement = ack-nhfb,
articleno = "5",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "dictionary attack; Draw-a-Secret; graphical
dictionary; Graphical passwords; memorable passwords;
modeling user choice; password complexity factors",
}
@Article{Awerbuch:2008:ODS,
author = "Baruch Awerbuch and Reza Curtmola and David Holmer and
Cristina Nita-Rotaru and Herbert Rubens",
title = "{ODSBR}: an on-demand secure {Byzantine} resilient
routing protocol for wireless ad hoc networks",
journal = j-TISSEC,
volume = "10",
number = "4",
pages = "6:1--6:??",
month = jan,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1284680.1341892",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:24 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Ah hoc networks offer increased coverage by using
multihop communication. This architecture makes
services more vulnerable to internal attacks coming
from compromised nodes that behave arbitrarily to
disrupt the network, also referred to as Byzantine
attacks. In this work, we examine the impact of several
Byzantine attacks performed by individual or colluding
attackers. We propose ODSBR, the first on-demand
routing protocol for ad hoc wireless networks that
provides resilience to Byzantine attacks caused by
individual or colluding nodes. The protocol uses an
adaptive probing technique that detects a malicious
link after log n faults have occurred, where n is the
length of the path. Problematic links are avoided by
using a route discovery mechanism that relies on a new
metric that captures adversarial behavior. Our protocol
never partitions the network and bounds the amount of
damage caused by attackers. We demonstrate through
simulations ODSBR's effectiveness in mitigating
Byzantine attacks. Our analysis of the impact of these
attacks versus the adversary's effort gives insights
into their relative strengths, their interaction, and
their importance when designing multihop wireless
routing protocols.",
acknowledgement = ack-nhfb,
articleno = "6",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "ad hoc wireless networks; Byzantine failures;
on-demand routing; security",
}
@Article{Ray:2008:E,
author = "Indrakshi Ray",
title = "Editorial",
journal = j-TISSEC,
volume = "11",
number = "1",
pages = "1:1--1:??",
month = feb,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1330295.1330296",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:35 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "1",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Lee:2008:TAS,
author = "Adam J. Lee and Marianne Winslett and Jim Basney and
Von Welch",
title = "The {Traust Authorization Service}",
journal = j-TISSEC,
volume = "11",
number = "1",
pages = "2:1--2:??",
month = feb,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1330295.1330297",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:35 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "In recent years, trust negotiation has been proposed
as a novel authorization solution for use in
open-system environments, in which resources are shared
across organizational boundaries. Researchers have
shown that trust negotiation is indeed a viable
solution for these environments by developing a number
of policy languages and strategies for trust
negotiation that have desirable theoretical properties.
Further, existing protocols, such as TLS, have been
altered to interact with prototype trust negotiation
systems, thereby illustrating the utility of trust
negotiation. Unfortunately, modifying existing
protocols is often a time-consuming and bureaucratic
process that can hinder the adoption of this promising
technology. \par
In this paper, we present Traust, a third-party
authorization service that leverages the strengths of
existing prototype trust negotiation systems. Traust
acts as an authorization broker that issues access
tokens for resources in an open system after entities
use trust negotiation to satisfy the appropriate
resource access policies. The Traust architecture was
designed to allow Traust to be integrated either
directly with newer trust-aware applications or
indirectly with existing legacy applications; this
flexibility paves the way for the incremental adoption
of trust negotiation technologies without requiring
widespread software or protocol upgrades. We discuss
the design and implementation of Traust, the
communication protocol used by the Traust system, and
its performance. We also discuss our experiences using
Traust to broker access to legacy resources, our
proposal for a Traust-aware version of the GridFTP
protocol, and Traust's resilience to attack.",
acknowledgement = ack-nhfb,
articleno = "2",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "attribute-based access control; credentials; trust
negotiation",
}
@Article{Zhang:2008:TUB,
author = "Xinwen Zhang and Masayuki Nakae and Michael J.
Covington and Ravi Sandhu",
title = "Toward a {Usage-Based Security Framework} for
{Collaborative Computing Systems}",
journal = j-TISSEC,
volume = "11",
number = "1",
pages = "3:1--3:??",
month = feb,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1330295.1330298",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:35 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Collaborative systems such as Grids provide efficient
and scalable access to distributed computing
capabilities and enable seamless resource sharing
between users and platforms. This heterogeneous
distribution of resources and the various modes of
collaborations that exist between users, virtual
organizations, and resource providers require scalable,
flexible, and fine-grained access control to protect
both individual and shared computing resources. In this
article we propose a usage control (UCON) based
security framework for collaborative applications, by
following a layered approach with policy, enforcement,
and implementation models, called the PEI framework. In
the policy model layer, UCON policies are specified
with predicates on subject and object attributes, along
with system attributes as conditional constraints and
user actions as obligations. General attributes include
not only persistent attributes such as role and group
memberships but also mutable usage attributes of
subjects and objects. Conditions in UCON can be used to
support context-based authorizations in ad hoc
collaborations. In the enforcement model layer, our
novel framework uses a hybrid approach for subject
attribute acquisition with both push and pull modes. By
leveraging attribute propagations between a centralized
attribute repository and distributed policy decision
points, our architecture supports decision continuity
and attribute mutability of the UCON policy model, as
well as obligation evaluations during policy
enforcement. As a proof-of-concept, we implement a
prototype system based on our proposed architecture and
conduct experimental studies to demonstrate the
feasibility and performance of our approach.",
acknowledgement = ack-nhfb,
articleno = "3",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "access control; Authorization; collaborative
computing; security architecture; UCON; usage control",
}
@Article{Mazzoleni:2008:XPI,
author = "Pietro Mazzoleni and Bruno Crispo and Swaminathan
Sivasubramanian and Elisa Bertino",
title = "{XACML Policy Integration Algorithms}",
journal = j-TISSEC,
volume = "11",
number = "1",
pages = "4:1--4:??",
month = feb,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1330295.1330299",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:35 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "XACML is the OASIS standard language specifically
aimed at the specification of authorization policies.
While XACML fits well with the security requirements of
a single enterprise (even if large and composed by
multiple departments), it does not address the
requirements of virtual enterprises in which several
autonomous subjects collaborate by sharing their
resources to provide better services to customers. In
this article we highlight such limitation, and we
propose an XACML extension, the policy integration
algorithms, to address them. In the article we also
present the implementation of a system that makes use
of the policy integration algorithms to securely
replicate information in a P2P-like environment. In our
solution, the data replication process considers the
policies specified by both the owners of the data
shared and the peers sharing data storage.",
acknowledgement = ack-nhfb,
articleno = "4",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "content distributed networks; distributed systems;
security policies integration; SOA; Web services;
XACML",
}
@Article{Lee:2008:CPK,
author = "Jooyoung Lee and Douglas R. Stinson",
title = "On the Construction of Practical Key Predistribution
Schemes for Distributed Sensor Networks Using
Combinatorial Designs",
journal = j-TISSEC,
volume = "11",
number = "2",
pages = "1:1--1:??",
month = mar,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1330332.1330333",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:41 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "In this paper, we discuss the use of combinatorial set
systems (combinatorial designs) in the design of key
predistribution schemes (KPSs) for sensor networks. We
show that the performance of a KPS can be improved by
carefully choosing a certain class of set systems as
``key ring spaces''. Especially, we analyze KPSs based
on a type of combinatorial design known as a
{$<$}it{$>$}transversal design{$<$}/it{$>$}. We employ
two types of transversal designs, which are represented
by the set of all linear polynomials and the set of
quadratic polynomials (over some finite field),
respectively. These KPSs turn out to have significant
efficiency in a shared-key discovery phase without
degrading connectivity and resiliency.",
acknowledgement = ack-nhfb,
articleno = "1",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "key predistribution; security; wireless sensor
networks",
}
@Article{Mano:2008:RRI,
author = "Chad D. Mano and Andrew Blaich and Qi Liao and Yingxin
Jiang and David A. Cieslak and David C. Salyers and
Aaron Striegel",
title = "{RIPPS}: {Rogue Identifying Packet Payload Slicer
Detecting Unauthorized Wireless Hosts Through Network
Traffic Conditioning}",
journal = j-TISSEC,
volume = "11",
number = "2",
pages = "2:1--2:??",
month = mar,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1330332.1330334",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:41 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Wireless network access has become an integral part of
computing both at home and at the workplace. The
convenience of wireless network access at work may be
extremely beneficial to employees, but can be a burden
to network security personnel. This burden is magnified
by the threat of inexpensive wireless access points
being installed in a network without the knowledge of
network administrators. These devices, termed
{$<$}it{$>$}Rogue Wireless Access Points{$<$}/it{$>$},
may allow a malicious outsider to access valuable
network resources, including confidential communication
and other stored data. For this reason, wireless
connectivity detection is an essential capability, but
remains a difficult problem. We present a method of
detecting wireless hosts using a local RTT metric and a
novel packet payload slicing technique. The local RTT
metric provides the means to identify physical
transmission media while packet payload slicing
conditions network traffic to enhance the accuracy of
the detections. Most importantly, the packet payload
slicing method is transparent to both clients and
servers and does not require direct communication
between the monitoring system and monitored hosts.",
acknowledgement = ack-nhfb,
articleno = "2",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "network security; rogue systems; traffic
conditioning",
}
@Article{Wright:2008:PLA,
author = "Matthew K. Wright and Micah Adler and Brian Neil
Levine and Clay Shields",
title = "Passive-Logging {Attacks Against Anonymous
Communications Systems}",
journal = j-TISSEC,
volume = "11",
number = "2",
pages = "3:1--3:??",
month = mar,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1330332.1330335",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:41 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Using analysis, simulation, and experimentation, we
examine the threat against anonymous communications
posed by passive-logging attacks. In previous work, we
analyzed the success of such attacks under various
assumptions. Here, we evaluate the effects of these
assumptions more closely. First, we analyze the Onion
Routing-based model used in prior work in which a fixed
set of nodes remains in the system indefinitely. We
show that for this model, by removing the assumption of
uniformly random selection of nodes for placement in
the path, initiators can greatly improve their
anonymity. Second, we show by simulation that attack
times are significantly lower in practice than bounds
given by analytical results from prior work. Third, we
analyze the effects of a dynamic membership model, in
which nodes are allowed to join and leave the system;
we show that all known defenses fail more quickly when
the assumption of a static node set is relaxed. Fourth,
intersection attacks against peer-to-peer systems are
shown to be an additional danger, either on their own
or in conjunction with the predecessor attack. Finally,
we address the question of whether the regular
communication patterns required by the attacks exist in
real traffic. We collected and analyzed the Web
requests of users to determine the extent to which
basic patterns can be found. We show that, for our
study, frequent and repeated communication to the same
Web site is common.",
acknowledgement = ack-nhfb,
articleno = "3",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "anonymity; anonymous communication; intersection
attack; predecessor attack; privacy",
}
@Article{Cheon:2008:PST,
author = "Jung Hee Cheon and Nicholas Hopper and Yongdae Kim and
Ivan Osipkov",
title = "Provably {Secure Timed-Release Public Key
Encryption}",
journal = j-TISSEC,
volume = "11",
number = "2",
pages = "4:1--4:??",
month = mar,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1330332.1330336",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:41 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "A timed-release cryptosystem allows a sender to
encrypt a message so that only the intended recipient
can read it only after a specified time. We formalize
the concept of a secure timed-release public-key
cryptosystem and show that, if a third party is relied
upon to guarantee decryption after the specified date,
this concept is equivalent to identity-based
encryption; this explains the observation that all
known constructions use identity-based encryption to
achieve timed-release security. We then give several
provably-secure constructions of timed-release
encryption: a generic scheme based on any
identity-based encryption scheme, and two more
efficient schemes based on the existence of
cryptographically admissible bilinear mappings. The
first of these is essentially as efficient as the
Boneh--Franklin Identity-Based encryption scheme, and
is provably secure and authenticated in the random
oracle model; the final scheme is not authenticated but
is provably secure in the standard model (i. e. ,
without random oracles).",
acknowledgement = ack-nhfb,
articleno = "4",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "authenticated encryption; key-insulated encryption;
timed-release",
}
@Article{Pang:2008:VCR,
author = "Hweehwa Pang and Kian-Lee Tan",
title = "Verifying Completeness of Relational Query Answers
from Online Servers",
journal = j-TISSEC,
volume = "11",
number = "2",
pages = "5:1--5:??",
month = mar,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1330332.1330337",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:41 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The number of successful attacks on the Internet shows
that it is very difficult to guarantee the security of
online servers over extended periods of time. A
breached server that is not detected in time may return
incorrect query answers to users. In this article, we
introduce authentication schemes for users to verify
that their query answers from an online server are
complete (i. e. , no qualifying tuples are omitted) and
authentic (i. e. , all the result values are
legitimate). We introduce a scheme that supports range
selection, projection as well as primary key-foreign
key join queries on relational databases. We also
present authentication schemes for single- and
multi-attribute range aggregate queries. The schemes
complement access control mechanisms that rewrite
queries dynamically, and are computationally secure. We
have implemented the proposed schemes, and experiment
results showed that they are practical and feasible
schemes with low overheads.",
acknowledgement = ack-nhfb,
articleno = "5",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "query answer verification; secure database systems",
}
@Article{Brandt:2008:EUP,
author = "Felix Brandt and Tuomas Sandholm",
title = "On the Existence of Unconditionally Privacy-Preserving
Auction Protocols",
journal = j-TISSEC,
volume = "11",
number = "2",
pages = "6:1--6:??",
month = mar,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1330332.1330338",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:41 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We investigate whether it is possible to preserve
privacy in sealed-bid auctions to a maximal extent. In
particular, this paper focuses on
{$<$}it{$>$}unconditional full privacy{$<$}/it{$>$}, i.
e. , privacy that relies neither on trusted third
parties (like auctioneers), nor on computational
intractability assumptions (like the hardness of
factoring). These constraints imply a scenario in which
bidders exchange messages according to some predefined
protocol in order to jointly determine the auction
outcome without revealing any additional information.
It turns out that the first-price sealed-bid auction
can be emulated by an unconditionally fully private
protocol. However, the protocol's round complexity is
exponential in the bid size, and there is no more
efficient protocol. On the other hand, we prove the
impossibility of privately emulating the second-price
sealed-bid auction for more than two bidders. This
impossibility holds even when relaxing various privacy
constraints such as allowing the revelation of all but
one losing bid (while maintaining anonymity) or
allowing the revelation of the second highest bidder's
identity.",
acknowledgement = ack-nhfb,
articleno = "6",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "auctions; multiparty computation",
}
@Article{Tsudik:2008:E,
author = "Gene Tsudik",
title = "Editorial",
journal = j-TISSEC,
volume = "11",
number = "3",
pages = "11:1--11:??",
month = mar,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1341731.1341732",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:50 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "11",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Zhang:2008:FIC,
author = "Qing Zhang and Ting Yu and Peng Ning",
title = "A Framework for Identifying Compromised Nodes in
Wireless Sensor Networks",
journal = j-TISSEC,
volume = "11",
number = "3",
pages = "12:1--12:??",
month = mar,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1341731.1341733",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:50 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Sensor networks are often subject to physical attacks.
Once a node's cryptographic key is compromised, an
attacker may completely impersonate it and introduce
arbitrary false information into the network. Basic
cryptographic mechanisms are often not effective in
this situation. Most techniques to address this problem
focus on detecting and tolerating false information
introduced by compromised nodes. They cannot pinpoint
exactly where the false information is introduced and
who is responsible for it. \par
In this article, we propose an application-independent
framework for accurately identifying compromised sensor
nodes. The framework provides an appropriate
abstraction of application-specific detection
mechanisms and models the unique properties of sensor
networks. Based on the framework, we develop alert
reasoning algorithms to identify compromised nodes. The
algorithm assumes that compromised nodes may collude at
will. We show that our algorithm is optimal in the
sense that it identifies the largest number of
compromised nodes without introducing false positives.
We evaluate the effectiveness of the designed algorithm
through comprehensive experiments.",
acknowledgement = ack-nhfb,
articleno = "12",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "intrusion detection; sensor networks",
}
@Article{DiPietro:2008:RSN,
author = "Roberto {Di Pietro} and Luigi V. Mancini and
Alessandro Mei and Alessandro Panconesi and Jaikumar
Radhakrishnan",
title = "Redoubtable Sensor Networks",
journal = j-TISSEC,
volume = "11",
number = "3",
pages = "13:1--13:??",
month = mar,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1341731.1341734",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:50 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We give, for the first time, a precise mathematical
analysis of the connectivity and security properties of
sensor networks that make use of the random
predistribution of keys. We also show how to set the
parameters---pool and key ring size---in such a way
that the network is not only connected with high
probability via secure links but also provably
resilient, in the following sense: We formally show
that any adversary that captures sensors at random with
the aim of compromising a constant fraction of the
secure links must capture at least a constant fraction
of the nodes of the network. In the context of wireless
sensor networks where random predistribution of keys is
employed, we are the first to provide a mathematically
precise proof, with a clear indication of parameter
choice, that two crucial properties---connectivity via
secure links and resilience against malicious
attacks---can be obtained simultaneously. We also show
in a mathematically rigorous way that the network
enjoys another strong security property. The adversary
cannot partition the network into two linear size
components, compromising all the links between them,
unless it captures linearly many nodes. This implies
that the network is also fault tolerant with respect to
node failures. Our theoretical results are complemented
by extensive simulations that reinforce our main
conclusions.",
acknowledgement = ack-nhfb,
articleno = "13",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "connectivity; probabilistic key sharing; random
graphs; Wireless sensor network",
}
@Article{Chang:2008:DAP,
author = "Katharine Chang and Kang G. Shin",
title = "Distributed Authentication of Program Integrity
Verification in Wireless Sensor Networks",
journal = j-TISSEC,
volume = "11",
number = "3",
pages = "14:1--14:??",
month = mar,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1341731.1341735",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:50 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Security in wireless sensor networks has become
important as they are being developed and deployed for
an increasing number of applications. The severe
resource constraints in each sensor make it very
challenging to secure sensor networks. Moreover,
sensors are usually deployed in hostile and unattended
environments and hence are susceptible to various
attacks, including node capture, physical tampering,
and manipulation of the sensor program. Park and Shin
[2005] proposed a soft tamper-proofing scheme that
verifies the integrity of the program in each sensor
device, called the program integrity verification
(PIV), in which sensors authenticate PIV servers
(PIVSs) using centralized and trusted third-party
entities, such as authentication servers (ASs). This
article presents a distributed authentication protocol
of PIVSs (DAPP) without requiring the commonly used
ASs. DAPP uses the Blundo scheme [Blundo et al. 1992]
for sensors and PIVSs to establish pairwise keys and
for PIVSs to authenticate one another. We also present
a protocol for PIVSs to cooperatively detect and revoke
malicious PIVSs in the network. We implement and
evaluate both DAPP and PIV on Mica2 Motes and laptops,
showing that DAPP reduces the sensors' communication
traffic in the network by more than 90\% and the energy
consumption on each sensor by up to 85\%, as compared
to the case of using a centralized AS for
authenticating PIVSs. We also analyze the security of
DAPP under various attack models, demonstrating its
capability in dealing with diverse types of attacks.",
acknowledgement = ack-nhfb,
articleno = "14",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "distributed authentication; node revocation; program
integrity verification; wireless sensor networks",
}
@Article{Xie:2008:MDA,
author = "Liang Xie and Sencun Zhu",
title = "Message Dropping Attacks in Overlay Networks: Attack
Detection and Attacker Identification",
journal = j-TISSEC,
volume = "11",
number = "3",
pages = "15:1--15:??",
month = mar,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1341731.1341736",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:50 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Overlay multicast networks are used by service
providers to distribute contents such as Web pages,
static and streaming multimedia data, or security
updates to a large number of users. However, such
networks are extremely vulnerable to message-dropping
attacks by malicious or selfish nodes that
intentionally drop the packets they are required to
forward to others. It is difficult to detect such
attacks both efficiently and effectively and to further
identify the attackers, especially when members in the
overlay switch between online/offline statuses
frequently. In this article, we consider various
attacking strategies of an attacker and propose an
optimal sampling-based scheme to detect such attacks in
the overlay network. We analyze the detection problem
from a game-theoretical viewpoint and show that our
scheme outperforms a random sampling-based scheme in
terms of detection rate. In addition, based on a
reputation system, we propose a sampling-based
path-resolving scheme to identify compromised or
selfish nodes. Unlike other existing approaches, our
schemes do not assume global knowledge of the overlay
hierarchy and work for dynamic overlay networks as
well. Extensive analysis and simulation results show
that besides being band width efficient, our schemes
have high detection and identification rates and low
false-positive rates.",
acknowledgement = ack-nhfb,
articleno = "15",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "attack detection; attacker identification; message
dropping attacks; Overlay networks",
}
@Article{Traynor:2008:NMH,
author = "Patrick Traynor and Michael Chien and Scott Weaver and
Boniface Hicks and Patrick McDaniel",
title = "Noninvasive Methods for Host Certification",
journal = j-TISSEC,
volume = "11",
number = "3",
pages = "16:1--16:??",
month = mar,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1341731.1341737",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 12 17:52:50 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Determining whether a user or system is exercising
appropriate security practices is difficult in any
context. Such difficulties are particularly pronounced
when uncontrolled or unknown platforms join public
networks. Commonly practiced techniques used to vet
these hosts, such as system scans, have the potential
to infringe on the privacy of users. In this article,
we show that it is possible for clients to prove both
the presence and proper functioning of security
infrastructure without allowing unrestricted access to
their system. We demonstrate this approach,
specifically applied to antivirus security, by
requiring clients seeking admission to a network to
positively identify the presence or absence of malcode
in a series of puzzles. The implementation of this
mechanism and its application to real networks are also
explored. In so doing, we demonstrate that it is not
necessary for an administrator to be invasive to
determine whether a client implements required security
practices.",
acknowledgement = ack-nhfb,
articleno = "16",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "assurance; certification; malware; network security",
}
@Article{Avoine:2008:CIT,
author = "Gildas Avoine and Pascal Junod and Philippe
Oechslin",
title = "Characterization and Improvement of Time-Memory
Trade-Off Based on Perfect Tables",
journal = j-TISSEC,
volume = "11",
number = "4",
pages = "17:1--17:??",
month = jul,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1380564.1380565",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Aug 5 19:37:22 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Cryptanalytic time-memory trade-offs have been studied
for 25 years and have benefited from several
improvements since the original work of Hellman. The
ensuing variants definitely improve the original
trade-off but their real impact has never been
evaluated in practice. We fill this lack by analyzing
the {\em perfect\/} form of classic tables,
distinguished point-based tables, and rainbow tables.
We especially provide a thorough analysis of the latter
variant, whose performances have never been formally
calculated yet. Our analysis leads to the concept of a
{\em characteristic\/} that enables to measure the
intrinsic quality of a trade-off. We finally introduce
a new technique based on {\em checkpoints\/} that still
reduces the cryptanalysis time by ruling out false
alarms probabilistically. Our analysis yields the exact
gain of this approach and establishes its efficiency
when applied on rainbow tables.",
acknowledgement = ack-nhfb,
articleno = "17",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "cryptography; Hellman's time-memory trade-off;
password cracking; rainbow tables",
}
@Article{Yang:2008:SSH,
author = "Yi Yang and Xinran Wang and Sencun Zhu and Guohong
Cao",
title = "{SDAP}: a Secure Hop-by-Hop Data Aggregation Protocol
for Sensor Networks",
journal = j-TISSEC,
volume = "11",
number = "4",
pages = "18:1--18:??",
month = jul,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1380564.1380568",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Aug 5 19:37:22 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Hop-by-hop data aggregation is a very important
technique for reducing the communication overhead and
energy expenditure of sensor nodes during the process
of data collection in a sensor network. However,
because individual sensor readings are lost in the
per-hop aggregation process, compromised nodes in the
network may forge false values as the aggregation
results of other nodes, tricking the base station into
accepting spurious aggregation results. Here a
fundamental challenge is how can the base station
obtain a good approximation of the fusion result when a
fraction of sensor nodes are compromised?\par
To answer this challenge, we propose SDAP, a Secure
Hop-by-hop Data Aggregation Protocol for sensor
networks. SDAP is a general-purpose secure data
aggregation protocol applicable to multiple aggregation
functions. The design of SDAP is based on the
principles of {\em divide-and-conquer\/} and {\em
commit-and-attest}. First, SDAP uses a novel
probabilistic grouping technique to dynamically
partition the nodes in a tree topology into multiple
logical groups (subtrees) of similar sizes. A
commitment-based hop-by-hop aggregation is performed in
each group to generate a group aggregate. The base
station then identifies the suspicious groups based on
the set of group aggregates. Finally, each group under
suspect participates in an attestation process to prove
the correctness of its group aggregate. The aggregate
by the base station is calculated over all the group
aggregates that are either normal or have passed the
attestation procedure. Extensive analysis and
simulations show that SDAP can achieve the level of
efficiency close to an ordinary hop-by-hop aggregation
protocol while providing high assurance on the
trustworthiness of the aggregation result. Last,
prototype implementation on top of TinyOS shows that
our scheme is practical on current generation sensor
nodes such as Mica2 motes.",
acknowledgement = ack-nhfb,
articleno = "18",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "commit-and-attest; data aggregation; hop-by-hop;
probabilistic grouping; sensor network security",
}
@Article{Radosavac:2008:AFM,
author = "Svetlana Radosavac and George Moustakides and John S.
Baras and Iordanis Koutsopoulos",
title = "An Analytic Framework for Modeling and Detecting
Access Layer Misbehavior in Wireless Networks",
journal = j-TISSEC,
volume = "11",
number = "4",
pages = "19:1--19:??",
month = jul,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1380564.1380567",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Aug 5 19:37:22 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The widespread deployment of wireless networks and hot
spots that employ the IEEE 802.11 technology has forced
network designers to put emphasis on the importance of
ensuring efficient and fair use of network resources.
In this work we propose a novel framework for detection
of intelligent adaptive adversaries in the IEEE 802.11
MAC by addressing the problem of detection of the
worst-case scenario attacks. Utilizing the nature of
this protocol we employ sequential detection methods
for detecting greedy behavior and illustrate their
performance for detection of least favorable attacks.
By using robust statistics in our problem formulation,
we attempt to utilize the precision given by parametric
tests, while avoiding the specification of the
adversarial distribution. This approach establishes the
lowest performance bound of a given Intrusion Detection
System (IDS) in terms of detection delay and is
applicable in online detection systems where users who
pay for their services want to obtain the information
about the best and the worst case scenarios and
performance bounds of the system. This framework is
meaningful for studying misbehavior due to the fact
that it does not focus on specific adversarial
strategies and therefore is applicable to a wide class
of adversarial strategies.",
acknowledgement = ack-nhfb,
articleno = "19",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "MAC layer; min-max robust detection; protocol
misbehavior; wireless networks",
}
@Article{Ryu:2008:EID,
author = "Young U. Ryu and Hyeun-Suk Rhee",
title = "Evaluation of Intrusion Detection Systems Under a
Resource Constraint",
journal = j-TISSEC,
volume = "11",
number = "4",
pages = "20:1--20:??",
month = jul,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1380564.1380566",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Aug 5 19:37:22 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "An intrusion detection system plays an important role
in a firm's overall security protection. Its main
purpose is to identify potentially intrusive events and
alert the security personnel to the danger. A typical
intrusion detection system, however, is known to be
imperfect in detection of intrusive events, resulting
in high false-alarm rates. Nevertheless, current
intrusion detection models unreasonably assume that
upon alerts raised by a system, an information security
officer responds to all alarms without any delay and
avoids damages of hostile activities. This assumption
of responding to all alarms with no time lag is often
impracticable. As a result, the benefit of an intrusion
detection system can be overestimated by current
intrusion detection models. In this article, we extend
previous models by including an information security
officer's alarm inspection under a constraint as a part
of the process in determining the optimal intrusion
detection policy. Given a potentially hostile
environment for a firm, in which the intrusion rates
and costs associated with intrusion and security
officers' inspection can be estimated, we outline a
framework to establish the optimal operating points for
intrusion detection systems under security officers'
inspection constraint. The optimal solution to the
model will provide not only a basis of better
evaluation of intrusion detection systems but also
useful insights into operations of intrusion detection
systems. The firm can estimate expected benefits for
running intrusion detection systems and establish a
basis for increase in security personnel to relax
security officers' inspection constraint.",
acknowledgement = ack-nhfb,
articleno = "20",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "computer security; intrusion detection; optimal
inspection rates; optimal operating points",
}
@Article{Halpern:2008:UFO,
author = "Joseph Y. Halpern and Vicky Weissman",
title = "Using First-Order Logic to Reason about Policies",
journal = j-TISSEC,
volume = "11",
number = "4",
pages = "21:1--21:??",
month = jul,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1380564.1380569",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Aug 5 19:37:22 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "A policy describes the conditions under which an
action is permitted or forbidden. We show that a
fragment of (multi-sorted) first-order logic can be
used to represent and reason about policies. Because we
use first-order logic, policies have a clear syntax and
semantics. We show that further restricting the
fragment results in a language that is still quite
expressive yet is also tractable. More precisely,
questions about entailment, such as ``May Alice access
the file?'', can be answered in time that is a
low-order polynomial (indeed, almost linear in some
cases), as can questions about the consistency of
policy sets.",
acknowledgement = ack-nhfb,
articleno = "21",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "digital rights management",
}
@Article{Liu:2008:ARL,
author = "Donggang Liu and Peng Ning and An Liu and Cliff Wang
and Wenliang Kevin Du",
title = "Attack-Resistant Location Estimation in Wireless
Sensor Networks",
journal = j-TISSEC,
volume = "11",
number = "4",
pages = "22:1--22:??",
month = jul,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1380564.1380570",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Aug 5 19:37:22 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Many sensor network applications require sensors'
locations to function correctly. Despite the recent
advances, location discovery for sensor networks in
{\em hostile environments\/} has been mostly
overlooked. Most of the existing localization protocols
for sensor networks are vulnerable in hostile
environments. The security of location discovery can
certainly be enhanced by authentication. However, the
possible node compromises and the fact that location
determination uses certain physical features (e.g.,
received signal strength) of radio signals make
authentication not as effective as in traditional
security applications. This article presents two
methods to tolerate malicious attacks against
range-based location discovery in sensor networks. The
first method filters out malicious beacon signals on
the basis of the ``consistency'' among multiple beacon
signals, while the second method tolerates malicious
beacon signals by adopting an iteratively refined
voting scheme. Both methods can survive malicious
attacks even if the attacks bypass authentication,
provided that the benign beacon signals constitute the
majority of the beacon signals. This article also
presents the implementation and experimental evaluation
(through both field experiments and simulation) of all
the secure and resilient location estimation schemes
that can be used on the current generation of sensor
platforms (e.g., MICA series of motes), including the
techniques proposed in this article, in a network of
MICAz motes. The experimental results demonstrate the
effectiveness of the proposed methods, and also give
the secure and resilient location estimation scheme
most suitable for the current generation of sensor
networks.",
acknowledgement = ack-nhfb,
articleno = "22",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "localization; security; sensor networks",
}
@Article{Ganeriwal:2008:STS,
author = "Saurabh Ganeriwal and Christina P{\"o}pper and Srdjan
{\v{C}}apkun and Mani B. Srivastava",
title = "Secure Time Synchronization in Sensor Networks",
journal = j-TISSEC,
volume = "11",
number = "4",
pages = "23:1--23:??",
month = jul,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1380564.1380571",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Aug 5 19:37:22 MDT 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Time synchronization is critical in sensor networks at
many layers of their design. It enables better
duty-cycling of the radio, accurate and secure
localization, beamforming, and other collaborative
signal processing tasks. These benefits make
time-synchronization protocols a prime target of
malicious adversaries who want to disrupt the normal
operation of a sensor network. In this article, we
analyze attacks on existing time synchronization
protocols for wireless sensor networks and we propose a
secure time synchronization toolbox to counter these
attacks. This toolbox includes protocols for secure
pairwise and group synchronization of nodes that either
lie in the neighborhood of each other or are separated
by multiple hops. We provide an in-depth analysis of
the security and the energy overhead of the proposed
protocols. The efficiency of these protocols has been
tested through an experimental study on Mica2 motes.",
acknowledgement = ack-nhfb,
articleno = "23",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "delay; message authentication code; sensor networks;
time synchronization",
}
@Article{Barker:2008:SBA,
author = "Steve Barker and Marek J. Sergot and Duminda
Wijesekera",
title = "Status-Based Access Control",
journal = j-TISSEC,
volume = "12",
number = "1",
pages = "1:1--1:??",
month = oct,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1410234.1410235",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Nov 11 15:54:06 MST 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Despite their widespread adoption, Role-based Access
Control (RBAC) models exhibit certain shortcomings that
make them less than ideal for deployment in, for
example, distributed access control. In the distributed
case, standard RBAC assumptions (e.g., of relatively
static access policies, managed by human users, with
complete information available about users and job
functions) do not necessarily apply. Moreover, RBAC is
restricted in the sense that it is based on one type of
ascribed status, an assignment of a user to a role. In
this article, we introduce the status-based access
control (SBAC) model for distributed access control.
The SBAC model (or family of models) is based on the
notion of users having an action status as well as an
ascribed status. A user's action status is established,
in part, from a history of events that relate to the
user; this history enables changing access policy
requirements to be naturally accommodated. The approach
can be implemented as an autonomous agent that reasons
about the events, actions, and a history (of events and
actions), which relates to a requester for access to
resources, in order to decide whether the requester is
permitted the access sought. We define a number of
algebras for composing SBAC policies, algebras that
exploit the language that we introduce for SBAC policy
representation: identification-based logic programs.
The SBAC model is richer than RBAC models and the
policies that can be represented in our approach are
more expressive than the policies admitted by a number
of monotonic languages that have been hitherto
described for representing distributed access control
requirements. Our algebras generalize existing algebras
that have been defined for access policy composition.
We also describe an approach for the efficient
implementation of SBAC policies.",
acknowledgement = ack-nhfb,
articleno = "1",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "algebras; distributed security; logic; status-based
access control",
}
@Article{Xu:2008:DSB,
author = "Shouhuai Xu and Srdjan {\v{C}}apkun",
title = "Distributed and Secure Bootstrapping of Mobile Ad Hoc
Networks: Framework and Constructions",
journal = j-TISSEC,
volume = "12",
number = "1",
pages = "2:1--2:??",
month = oct,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1410234.1410236",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Nov 11 15:54:06 MST 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Secure bootstrapping of mobile ad hoc networks
(MANETs) is a challenging problem in scenarios in which
network users (or nodes) do not share trust
relationships prior to the network deployment. In
recent years, a number of schemes have been proposed to
solve this problem, assuming either no or limited trust
between the nodes prior to their deployment. Despite
numerous proposals, there is no common understanding of
the proposed schemes and of the trade-offs that they
provide. This has consequences for both researchers and
practitioners, who do not have a clear idea how to
compare the schemes and how to select a scheme for a
given application. In this article, we present a
framework that helps in understanding and comparing
schemes for secure bootstrapping of MANETs. The
framework is general because it is policy-neutral and
can accommodate many existing bootstrapping schemes.
The proposed framework can equally serve as a good
basis for the development of new MANET bootstrapping
schemes; we show how the development of the framework
leads to two new (classes of) distributed bootstrapping
schemes. Within the framework, we not only investigate
and characterize the properties of the relevant
bootstrapping schemes, but also give methods for
practitioners to select the relevant system parameters
in the Random Walk and the (Restricted) Random Waypoint
mobility models.",
acknowledgement = ack-nhfb,
articleno = "2",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "MANETs; secure communication; security bootstrapping",
}
@Article{Boldyreva:2008:NMS,
author = "Alexandra Boldyreva and Craig Gentry and Adam O'Neill
and Dae Hyun Yum",
title = "New Multiparty Signature Schemes for Network Routing
Applications",
journal = j-TISSEC,
volume = "12",
number = "1",
pages = "3:1--3:??",
month = oct,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1410234.1410237",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Nov 11 15:54:06 MST 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We construct two new multiparty digital signature
schemes that allow multiple signers to sequentially and
non-interactively produce a compact, fixed-length
signature. First, we introduce a new primitive that we
call {\em ordered multisignature\/} (OMS) scheme, which
allows signers to attest to a common message as well as
the order in which they signed. Our OMS construction
substantially improves computational efficiency and
scalability over any existing scheme with suitable
functionality. Second, we design a new identity-based
sequential aggregate signature scheme, where signers
can attest to different messages and signature
verification does not require knowledge of traditional
public keys. The latter property permits savings on
bandwidth and storage as compared to public-key
solutions. In contrast to the only prior scheme to
provide this functionality, ours offers improved
security that does not rely on synchronized clocks or a
trusted first signer. We provide formal security
definitions and support the proposed schemes with
security proofs under appropriate computational
assumptions. We focus on applications of our schemes to
secure network routing, but we believe that they will
find other applications as well.",
acknowledgement = ack-nhfb,
articleno = "3",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "aggregate signatures; digital signatures;
identity-based signatures; multisignatures; network
security; pairings",
}
@Article{Wang:2008:GBA,
author = "Wei Wang and Thomas E. Daniels",
title = "A Graph Based Approach Toward Network Forensics
Analysis",
journal = j-TISSEC,
volume = "12",
number = "1",
pages = "4:1--4:??",
month = oct,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1410234.1410238",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Nov 11 15:54:06 MST 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "In this article we develop a novel graph-based
approach toward network forensics analysis. Central to
our approach is the evidence graph model that
facilitates evidence presentation and automated
reasoning. Based on the evidence graph, we propose a
hierarchical reasoning framework that consists of two
levels. Local reasoning aims to infer the functional
states of network entities from local observations.
Global reasoning aims to identify important entities
from the graph structure and extract groups of densely
correlated participants in the attack scenario. This
article also presents a framework for interactive
hypothesis testing, which helps to identify the
attacker's nonexplicit attack activities from secondary
evidence. We developed a prototype system that
implements the techniques discussed. Experimental
results on various attack datasets demonstrate that our
analysis mechanism achieves good coverage and accuracy
in attack group and scenario extraction with less
dependence on hard-coded expert knowledge.",
acknowledgement = ack-nhfb,
articleno = "4",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "evidence graph; hierarchical reasoning; network
forensics",
}
@Article{Halpern:2008:SMS,
author = "Joseph Y. Halpern and Kevin R. O'Neill",
title = "Secrecy in Multiagent Systems",
journal = j-TISSEC,
volume = "12",
number = "1",
pages = "5:1--5:??",
month = oct,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1410234.1410239",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Nov 11 15:54:06 MST 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We introduce a general framework for reasoning about
secrecy requirements in multiagent systems. Our
definitions extend earlier definitions of secrecy and
nondeducibility given by Shannon and Sutherland.
Roughly speaking, one agent maintains secrecy with
respect to another if the second agent cannot rule out
any possibilities for the behavior or state of the
first agent. We show that the framework can handle
probability and nondeterminism in a clean way, is
useful for reasoning about asynchronous systems as well
as synchronous systems, and suggests generalizations of
secrecy that may be useful for dealing with issues such
as resource-bounded reasoning. We also show that a
number of well-known attempts to characterize the
absence of information flow are special cases of our
definitions of secrecy.",
acknowledgement = ack-nhfb,
articleno = "5",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "information flow; secrecy",
}
@Article{Yao:2008:PIR,
author = "Danfeng Yao and Keith B. Frikken and Mikhail J.
Atallah and Roberto Tamassia",
title = "Private Information: To Reveal or not to Reveal",
journal = j-TISSEC,
volume = "12",
number = "1",
pages = "6:1--6:??",
month = oct,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1410234.1410240",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Nov 11 15:54:06 MST 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "This article studies the notion of quantitative
policies for trust management and gives protocols for
realizing them in a disclosure-minimizing fashion.
Specifically, Bob values each credential with a certain
number of points, and requires a minimum total
threshold of points before granting Alice access to a
resource. In turn, Alice values each of her credentials
with a privacy score that indicates her degree of
reluctance to reveal that credential. Bob's valuation
of credentials and his threshold are private. Alice's
privacy-valuation of her credentials is also private.
Alice wants to find a subset of her credentials that
achieves Bob's required threshold for access, yet is of
as small a value to her as possible. We give protocols
for computing such a subset of Alice's credentials
without revealing any of the two parties'
above-mentioned private information. Furthermore, we
develop a fingerprint method that allows Alice to
independently and easily recover the optimal knapsack
solution, once the computed optimal value is given, but
also enables verification of the integrity of the
optimal value. The fingerprint method is useful beyond
the specific authorization problem studied, and can be
applied to any integer knapsack dynamic programming in
a private setting.",
acknowledgement = ack-nhfb,
articleno = "6",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "authorization; policies; secure multi-party
computation",
}
@Article{Wright:2008:GES,
author = "Rebecca N. Wright and {Sabrina De Capitanidi
Vimercati}",
title = "Guest Editorial: Special Issue on Computer and
Communications Security",
journal = j-TISSEC,
volume = "12",
number = "2",
pages = "7:1--7:??",
month = dec,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1455518.1455519",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Dec 23 11:58:14 MST 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "7",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Lee:2008:ESC,
author = "Adam J. Lee and Marianne Winslett",
title = "Enforcing Safety and Consistency Constraints in
Policy-Based Authorization Systems",
journal = j-TISSEC,
volume = "12",
number = "2",
pages = "8:1--8:??",
month = dec,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1455518.1455520",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Dec 23 11:58:14 MST 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "In trust negotiation and other forms of distributed
proving, networked entities cooperate to form proofs of
authorization that are justified by collections of
certified attribute credentials. These attributes may
be obtained through interactions with any number of
external entities and are collected and validated over
an extended period of time. Although these collections
of credentials in some ways resemble partial system
snapshots, current trust negotiation and distributed
proving systems lack the notion of a consistent global
state in which the satisfaction of authorization
policies should be checked. In this article, we argue
that unlike the notions of consistency studied in other
areas of distributed computing, the level of
consistency required during policy evaluation is
predicated solely upon the security requirements of the
policy evaluator. As such, there is little incentive
for entities to participate in complicated consistency
preservation schemes like those used in distributed
computing, distributed databases, and distributed
shared memory. We go on to show that the most intuitive
notion of consistency fails to provide basic safety
guarantees under certain circumstances and then propose
several more refined notions of consistency that
provide stronger safety guarantees. We provide
algorithms that allow each of these refined notions of
consistency to be attained in practice with minimal
overheads and formally prove several security and
privacy properties of these algorithms. Lastly, we
explore the notion of strategic design trade-offs in
the consistency enforcement algorithm space and propose
several modifications to the core algorithms presented
in this article. These modifications enhance the
privacy-preservation or completeness properties of
these algorithms without altering the consistency
constraints that they enforce.",
acknowledgement = ack-nhfb,
articleno = "8",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "consistency; credentials; distributed proving; trust
negotiation",
}
@Article{Golle:2008:DCS,
author = "Philippe Golle and Frank McSherry and Ilya Mironov",
title = "Data Collection with Self-Enforcing Privacy",
journal = j-TISSEC,
volume = "12",
number = "2",
pages = "9:1--9:??",
month = dec,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1455518.1455521.",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Dec 23 11:58:14 MST 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Consider a pollster who wishes to collect private,
sensitive data from a number of distrustful
individuals. How might the pollster convince the
respondents that it is trustworthy? Alternately, what
mechanism could the respondents insist upon to ensure
that mismanagement of their data is detectable and
publicly demonstrable?\par
We detail this problem, and provide simple data
submission protocols with the properties that (a)
leakage of private data by the pollster results in
evidence of the transgression and (b) the evidence
cannot be fabricated without breaking cryptographic
assumptions. With such guarantees, a responsible
pollster could post a ``privacy-bond,'' forfeited to
anyone who can provide evidence of leakage. The
respondents are assured that appropriate penalties are
applied to a leaky pollster, while the protection from
spurious indictment ensures that any honest pollster
has no disincentive to participate in such a scheme.",
acknowledgement = ack-nhfb,
articleno = "9",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "data collection; privacy",
}
@Article{Cadar:2008:EAG,
author = "Cristian Cadar and Vijay Ganesh and Peter M. Pawlowski
and David L. Dill and Dawson R. Engler",
title = "{EXE}: Automatically Generating Inputs of Death",
journal = j-TISSEC,
volume = "12",
number = "2",
pages = "10:1--10:??",
month = dec,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1455518.1455522",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Dec 23 11:58:14 MST 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "This article presents EXE, an effective bug-finding
tool that automatically generates inputs that crash
real code. Instead of running code on manually or
randomly constructed input, EXE runs it on symbolic
input initially allowed to be anything. As checked code
runs, EXE tracks the constraints on each symbolic
(i.e., input-derived) memory location. If a statement
uses a symbolic value, EXE does not run it, but instead
adds it as an input-constraint; all other statements
run as usual. If code conditionally checks a symbolic
expression, EXE forks execution, constraining the
expression to be true on the true branch and false on
the other. Because EXE reasons about all possible
values on a path, it has much more power than a
traditional runtime tool: (1) it can force execution
down any feasible program path and (2) at dangerous
operations (e.g., a pointer dereference), it detects if
the current path constraints allow {\em any\/} value
that causes a bug. When a path terminates or hits a
bug, EXE automatically generates a test case by solving
the current path constraints to find concrete values
using its own co-designed constraint solver, STP.
Because EXE's constraints have no approximations,
feeding this concrete input to an uninstrumented
version of the checked code will cause it to follow the
same path and hit the same bug (assuming deterministic
code).\par
EXE works well on real code, finding bugs along with
inputs that trigger them in: the BSD and Linux packet
filter implementations, the dhcpd DHCP server, the pcre
regular expression library, and three Linux file
systems.",
acknowledgement = ack-nhfb,
articleno = "10",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "attack generation; bug finding; constraint solving;
dynamic analysis; symbolic execution; test case
generation",
}
@Article{Wang:2008:FBB,
author = "Xiaofeng Wang and Zhuowei Li and Jong Youl Choi and
Jun Xu and Michael K. Reiter and Chongkyung Kil",
title = "Fast and Black-box Exploit Detection and Signature
Generation for Commodity Software",
journal = j-TISSEC,
volume = "12",
number = "2",
pages = "11:1--11:??",
month = dec,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1455518.1455523",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Dec 23 11:58:14 MST 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "In biology, a {\em vaccine\/} is a weakened strain of
a virus or bacterium that is intentionally injected
into the body for the purpose of stimulating antibody
production. Inspired by this idea, we propose a {\em
packet vaccine\/} mechanism that randomizes
address-like strings in packet payloads to carry out
fast exploit detection and signature generation. An
exploit with a randomized jump address behaves like a
vaccine: it will likely cause an exception in a
vulnerable program's process when attempting to hijack
the control flow, and thereby expose itself. Taking
that exploit as a template, our signature generator
creates a set of new vaccines to probe the program in
an attempt to uncover the necessary conditions for the
exploit to happen. A signature is built upon these
conditions to shield the underlying vulnerability from
further attacks. In this way, packet vaccine detects
exploits and generates signatures in a black-box
fashion, that is, not relying on the knowledge of a
vulnerable program's source and binary code. Therefore,
it even works on the commodity software obfuscated for
the purpose of copyright protection. In addition, since
our approach avoids the expense of tracking the
program's execution flow, it performs almost as fast as
a normal run of the program and is capable of
generating a signature of high quality within seconds
or even subseconds. We present the design of the packet
vaccine mechanism and an example of its application. We
also describe our proof-of-concept implementation and
the evaluation of our technique using real exploits.",
acknowledgement = ack-nhfb,
articleno = "11",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "black-box defense; exploit detection; signature
generation; vaccine injection; worm",
}
@Article{Antonatos:2008:PMW,
author = "Spiros Antonatos and Periklis Akritidis and Vinh The
Lam and Kostas G. Anagnostakis",
title = "Puppetnets: Misusing {Web} Browsers as a Distributed
Attack Infrastructure",
journal = j-TISSEC,
volume = "12",
number = "2",
pages = "12:1--12:??",
month = dec,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1455518.1455524.",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Dec 23 11:58:14 MST 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Most of the recent work on Web security focuses on
preventing attacks that directly harm the browser's
host machine and user. In this paper we attempt to
quantify the threat of browsers being indirectly
misused for attacking third parties. Specifically, we
look at how the existing Web infrastructure (e.g., the
languages, protocols, and security policies) can be
exploited by malicious or subverted Web sites to
remotely instruct browsers to orchestrate actions
including denial of service attacks, worm propagation,
and reconnaissance scans. We show that attackers are
able to create powerful botnet-like infrastructures
that can cause significant damage. We explore the
effectiveness of countermeasures including anomaly
detection and more fine-grained browser security
policies.",
acknowledgement = ack-nhfb,
articleno = "12",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "distributed attacks; malicious software; Web
security",
}
@Article{Xie:2008:TMS,
author = "Mengjun Xie and Heng Yin and Haining Wang",
title = "Thwarting {E}-mail Spam Laundering",
journal = j-TISSEC,
volume = "12",
number = "2",
pages = "13:1--13:??",
month = dec,
year = "2008",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1455518.1455525",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Dec 23 11:58:14 MST 2008",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Laundering e-mail spam through open-proxies or
compromised PCs is a widely-used trick to conceal real
spam sources and reduce spamming cost in the
underground e-mail spam industry. Spammers have plagued
the Internet by exploiting a large number of spam
proxies. The facility of breaking spam laundering and
deterring spamming activities close to their sources,
which would greatly benefit not only e-mail users but
also victim ISPs, is in great demand but still missing.
In this article, we reveal one salient characteristic
of proxy-based spamming activities, namely packet
symmetry, by analyzing protocol semantics and timing
causality. Based on the packet symmetry exhibited in
spam laundering, we propose a simple and effective
technique, DBSpam, to online detect and break spam
laundering activities inside a customer network.
Monitoring the bidirectional traffic passing through a
network gateway, DBSpam utilizes a simple statistical
method, Sequential Probability Ratio Test, to detect
the occurrence of spam laundering in a timely manner.
To balance the goals of promptness and accuracy, we
introduce a noise-reduction technique in DBSpam, after
which the laundering path can be identified more
accurately. Then DBSpam activates its spam suppressing
mechanism to break the spam laundering. We implement a
prototype of DBSpam based on {\em libpcap}, and
validate its efficacy on spam detection and suppression
through both theoretical analyses and trace-based
experiments.",
acknowledgement = ack-nhfb,
articleno = "13",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "proxy; Spam; SPRT",
}
@Article{Liang:2009:AIE,
author = "Zhenkai Liang and Weiqing Sun and V. N.
Venkatakrishnan and R. Sekar",
title = "{Alcatraz}: An Isolated Environment for Experimenting
with Untrusted Software",
journal = j-TISSEC,
volume = "12",
number = "3",
pages = "14:1--14:37",
month = jan,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1455526.1455527",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 2 18:03:37 MST 2009",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "In this article, we present an approach for realizing
a {\em safe execution environment (SEE)\/} that enables
users to ``try out'' new software (or configuration
changes to existing software) without the fear of
damaging the system in any manner. A key property of
our SEE is that it faithfully reproduces the behavior
of applications, as if they were running natively on
the underlying (host) operating system. This is
accomplished via {\em one-way isolation\/}: processes
running within the SEE are given read-access to the
environment provided by the host OS, but their write
operations are prevented from escaping outside the SEE.
As a result, SEE processes cannot impact the behavior
of host OS processes, or the integrity of data on the
host OS. SEEs support a wide range of tasks, including:
study of malicious code, controlled execution of
untrusted software, experimentation with software
configuration changes, testing of software patches, and
so on. It provides a convenient way for users to
inspect system changes made within the SEE. If these
changes are not accepted, they can be rolled back at
the click of a button. Otherwise, the changes can be
committed so as to become visible outside the SEE. We
provide consistency criteria that ensure semantic
consistency of the committed results. We develop two
different implementation approaches, one in {\em
user-land\/} and the other in the {\em OS kernel}, for
realizing a safe-execution environment. Our
implementation results show that most software,
including fairly complex server and client
applications, can run successfully within our SEEs. It
introduces low performance overheads, typically below
10 percent.",
acknowledgement = ack-nhfb,
articleno = "14",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "Isolation; one-way isolation",
}
@Article{Yao:2009:CAR,
author = "Danfeng Yao and Roberto Tamassia",
title = "Compact and Anonymous Role-Based Authorization Chain",
journal = j-TISSEC,
volume = "12",
number = "3",
pages = "15:1--15:??",
month = jan,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1455526.1455528",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 2 18:03:37 MST 2009",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We introduce a decentralized delegation model called
anonymous role-based cascaded delegation. In this
model, a delegator can issue authorizations on behalf
of her role without revealing her identity. This type
of delegation protects the sensitive membership
information of a delegator and hides the internal
structure of an organization. To provide an efficient
storage and transmission mechanism for credentials used
in anonymous role-based cascaded delegation, we present
a new digital signature scheme that supports both
signer anonymity and signature aggregation. Our scheme
has compact role signatures that make it especially
suitable for ubiquitous computing environments, where
users may have mobile computing devices with narrow
communication bandwidth and small storage units.",
acknowledgement = ack-nhfb,
articleno = "15",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "aggregate signature; anonymity; Delegation",
}
@Article{Bethencourt:2009:NTP,
author = "John Bethencourt and Dawn Song and Brent Waters",
title = "New Techniques for Private Stream Searching",
journal = j-TISSEC,
volume = "12",
number = "3",
pages = "16:1--16:??",
month = jan,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1455526.1455529",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 2 18:03:37 MST 2009",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "A system for private stream searching, introduced by
Ostrovsky and Skeith, allows a client to provide an
untrusted server with an encrypted search query. The
server uses the query on a stream of documents and
returns the matching documents to the client while
learning nothing about the nature of the query. We
present a new scheme for conducting private keyword
search on streaming data which requires $O(m)$ server
to client communication complexity to return the
content of the matching documents, where $m$ is an
upper bound on the size of the documents. The required
storage on the server conducting the search is also
$O(m)$. The previous best scheme for private stream
searching was shown to have $O(m \log m)$ communication
and storage complexity. Our solution employs a novel
construction in which the user reconstructs the
matching files by solving a system of linear equations.
This allows the matching documents to be stored in a
compact buffer rather than relying on redundancies to
avoid collisions in the storage buffer as in previous
work. This technique requires a small amount of
metadata to be returned in addition to the documents;
for this the original scheme of Ostrovsky and Skeith
may be employed with $O(m \log m)$ communication and
storage complexity. We also present an alternative
method for returning the necessary metadata based on a
unique encrypted Bloom filter construction. This method
requires $O(m \log(t / m))$ communication and storage
complexity, where $t$ is the number of documents in the
stream. In this article we describe our scheme, prove
it secure, analyze its asymptotic performance, and
describe a number of extensions. We also provide an
experimental analysis of its scalability in practice.
Specifically, we consider its performance in the
demanding scenario of providing a privacy preserving
version of the Google News Alerts service.",
acknowledgement = ack-nhfb,
articleno = "16",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "Bloom filter; private information retrieval; private
stream searching; public key program obfuscation",
}
@Article{Crosby:2009:OLR,
author = "Scott A. Crosby and Dan S. Wallach and Rudolf H.
Riedi",
title = "Opportunities and Limits of Remote Timing Attacks",
journal = j-TISSEC,
volume = "12",
number = "3",
pages = "17:1--17:??",
month = jan,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1455526.1455530",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 2 18:03:37 MST 2009",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Many algorithms can take a variable amount of time to
complete depending on the data being processed. These
timing differences can sometimes disclose confidential
information. Indeed, researchers have been able to
reconstruct an RSA private key purely by querying an
SSL Web server and timing the results. Our work
analyzes the limits of attacks based on accurately
measuring network response times and jitter over a
local network and across the Internet. We present the
design of filters to significantly reduce the effects
of jitter, allowing an attacker to measure events with
15--100$\mu$s accuracy across the Internet, and as good
as 100ns over a local network. Notably,
security-related algorithms on Web servers and other
network servers need to be carefully engineered to
avoid timing channel leaks at the accuracy demonstrated
in this article.",
acknowledgement = ack-nhfb,
articleno = "17",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "Information leakage; jitter; timing attacks",
}
@Article{Atallah:2009:DEK,
author = "Mikhail J. Atallah and Marina Blanton and Nelly Fazio
and Keith B. Frikken",
title = "Dynamic and Efficient Key Management for Access
Hierarchies",
journal = j-TISSEC,
volume = "12",
number = "3",
pages = "18:1--18:??",
month = jan,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1455526.1455531",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 2 18:03:37 MST 2009",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Hierarchies arise in the context of access control
whenever the user population can be modeled as a set of
partially ordered classes (represented as a directed
graph). A user with access privileges for a class
obtains access to objects stored at that class and all
descendant classes in the hierarchy. The problem of key
management for such hierarchies then consists of
assigning a key to each class in the hierarchy so that
keys for descendant classes can be obtained via
efficient key derivation.\par
We propose a solution to this problem with the
following properties: (1) the space complexity of the
public information is the same as that of storing the
hierarchy; (2) the private information at a class
consists of a single key associated with that class;
(3) updates (i.e., revocations and additions) are
handled {\em locally\/} in the hierarchy; (4) the
scheme is provably secure against collusion; and (5)
each node can derive the key of any of its descendant
with a number of symmetric-key operations bounded by
the length of the path between the nodes. Whereas many
previous schemes had some of these properties, ours is
the first that satisfies all of them. The security of
our scheme is based on pseudorandom functions, without
reliance on the Random Oracle Model.\par
Another substantial contribution of this work is that
we are able to lower the key derivation time at the
expense of modestly increasing the public storage
associated with the hierarchy. Insertion of additional,
so-called shortcut, edges, allows to lower the key
derivation to a small constant number of steps for
graphs that are total orders and trees by increasing
the total number of edges by a small asymptotic factor
such as $O(\log^* n)$ for an $n$-node hierarchy. For
more general access hierarchies of dimension $d$, we
use a technique that consists of adding dummy nodes and
dimension reduction. The key derivation work for such
graphs is then linear in $d$ and the increase in the
number of edges is by the factor $O(\log^{d - 1} n)$
compared to the one-dimensional case.\par
Finally, by making simple modifications to our scheme,
we show how to handle extensions proposed by Crampton
[2003] of the standard hierarchies to ``limited depth''
and reverse inheritance.",
acknowledgement = ack-nhfb,
articleno = "18",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "Efficient key derivation; hierarchical access control;
key management",
}
@Article{Ligatti:2009:RTE,
author = "Jay Ligatti and Lujo Bauer and David Walker",
title = "Run-Time Enforcement of Nonsafety Policies",
journal = j-TISSEC,
volume = "12",
number = "3",
pages = "19:1--19:??",
month = jan,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1455526.1455532",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Feb 2 18:03:37 MST 2009",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "A common mechanism for ensuring that software behaves
securely is to monitor programs at run time and check
that they dynamically adhere to constraints specified
by a security policy. Whenever a program monitor
detects that untrusted software is attempting to
execute a dangerous action, it takes remedial steps to
ensure that only safe code actually gets
executed.\par
This article improves our understanding of the space of
policies enforceable by monitoring the run-time
behaviors of programs. We begin by building a formal
framework for analyzing policy enforcement: we
precisely define policies, monitors, and enforcement.
This framework allows us to prove that monitors enforce
an interesting set of policies that we call the
infinite renewal properties. We show how to construct a
program monitor that provably enforces any reasonable
infinite renewal property. We also show that the set of
infinite renewal properties includes some nonsafety
policies, that is, that monitors can enforce some
nonsafety (including some purely liveness) policies.
Finally, we demonstrate concrete examples of nonsafety
policies enforceable by practical run-time monitors.",
acknowledgement = ack-nhfb,
articleno = "19",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "liveness; monitoring; policy enforcement; safety;
security automata; security policies",
}
@Article{Li:2009:RPA,
author = "Ninghui Li and Qihua Wang and Mahesh Tripunitara",
title = "Resiliency Policies in Access Control",
journal = j-TISSEC,
volume = "12",
number = "4",
pages = "20:1--20:??",
month = apr,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1513601.1513602",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu May 14 13:53:50 MDT 2009",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We introduce the notion of resiliency policies in the
context of access control systems. Such policies
require an access control system to be resilient to the
absence of users. An example resiliency policy requires
that upon removal of any $s$ users, there should still
exist $d$ disjoint sets of users such that the users in
each set together possess certain permissions of
interest. Such a policy ensures that even when
emergency situations cause some users to be absent,
there still exist independent teams of users that have
the permissions necessary for carrying out critical
tasks. The Resiliency Checking Problem determines
whether an access control state satisfies a given
resiliency policy. We show that the general case of the
problem and several subcases are intractable (NP hard),
and identify two subcases that are solvable in linear
time. For the intractable cases, we also identify the
complexity class in the polynomial hierarchy to which
these problems belong. We discuss the design and
evaluation of an algorithm that can efficiently solve
instances of nontrivial sizes that belong to the
intractable cases of the problem. Furthermore, we study
the consistency problem between resiliency policies and
static separation of duty policies. Finally, we combine
the notions of resiliency and separation of duty to
introduce the resilient separation of duty policy,
which is useful in situations where both
fault-tolerance and fraud-prevention are desired.",
acknowledgement = ack-nhfb,
articleno = "20",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "access control; fault-tolerant; policy design",
}
@Article{Burmester:2009:UCR,
author = "Mike Burmester and Tri Van Le and Breno {De Medeiros}
and Gene Tsudik",
title = "Universally Composable {RFID} Identification and
Authentication Protocols",
journal = j-TISSEC,
volume = "12",
number = "4",
pages = "21:1--21:??",
month = apr,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1513601.1513603",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu May 14 13:53:50 MDT 2009",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "As the number of RFID applications grows, concerns
about their security and privacy become greatly
amplified. At the same time, the acutely restricted and
cost-sensitive nature of RFID tags rules out simple
reuse of traditional security/privacy solutions and
calls for a new generation of extremely lightweight
identification and authentication protocols.\par
This article describes a universally composable
security framework designed especially for RFID
applications. We adopt RFID-specific setup,
communication, and concurrency assumptions in a model
that guarantees strong security, privacy, and
availability properties. In particular, the framework
supports modular deployment, which is most appropriate
for ubiquitous applications. We also describe a set of
simple, efficient, secure, and anonymous (untraceable)
RFID identification and authentication protocols that
instantiate the proposed framework. These protocols
involve minimal interaction between tags and readers
and place only a small computational load on the tag,
and a light computational burden on the back-end
server. We show that our protocols are provably secure
within the proposed framework.",
acknowledgement = ack-nhfb,
articleno = "21",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "authentication and key-exchange protocols; RFID
security; universal composability",
}
@Article{Cabuk:2009:ICC,
author = "Serdar Cabuk and Carla E. Brodley and Clay Shields",
title = "{IP} Covert Channel Detection",
journal = j-TISSEC,
volume = "12",
number = "4",
pages = "22:1--22:29",
month = apr,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1513601.1513604",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu May 14 13:53:50 MDT 2009",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "A covert channel can occur when an attacker finds and
exploits a shared resource that is not designed to be a
communication mechanism. A network covert channel
operates by altering the timing of otherwise legitimate
network traffic so that the arrival times of packets
encode confidential data that an attacker wants to
exfiltrate from a secure area from which she has no
other means of communication. In this article, we
present the first public implementation of an IP covert
channel, discuss the subtle issues that arose in its
design, and present a discussion on its efficacy. We
then show that an IP covert channel can be
differentiated from legitimate channels and present new
detection measures that provide detection rates over
95\%. We next take the simple step an attacker would of
adding noise to the channel to attempt to conceal the
covert communication. For these noisy IP covert timing
channels, we show that our online detection measures
can fail to identify the covert channel for noise
levels higher than 10\%. We then provide effective
offline search mechanisms that identify the noisy
channels.",
acknowledgement = ack-nhfb,
articleno = "22",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "channel detection; information hiding; network covert
channels",
}
@Article{Meadows:2009:IAT,
author = "Catherine Meadows",
title = "Introduction to {ACM TISSEC} special issue on {CCS
2005}",
journal = j-TISSEC,
volume = "13",
number = "1",
pages = "1:1--1:??",
month = oct,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1609956.1609957",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:12 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "1",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Li:2009:ATN,
author = "Jiangtao Li and Ninghui Li and William H.
Winsborough",
title = "Automated trust negotiation using cryptographic
credentials",
journal = j-TISSEC,
volume = "13",
number = "1",
pages = "2:1--2:??",
month = oct,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1609956.1609958",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:12 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "2",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Zhuang:2009:KAE,
author = "Li Zhuang and Feng Zhou and J. D. Tygar",
title = "Keyboard acoustic emanations revisited",
journal = j-TISSEC,
volume = "13",
number = "1",
pages = "3:1--3:??",
month = oct,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1609956.1609959",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:12 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "3",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Abadi:2009:CFI,
author = "Mart{\'\i}n Abadi and Mihai Budiu and {\'U}lfar
Erlingsson and Jay Ligatti",
title = "Control-flow integrity principles, implementations,
and applications",
journal = j-TISSEC,
volume = "13",
number = "1",
pages = "4:1--4:??",
month = oct,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1609956.1609960",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:12 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "4",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Etalle:2009:MCW,
author = "Sandro Etalle and William H. Winsborough",
title = "Maintaining control while delegating trust: Integrity
constraints in trust management",
journal = j-TISSEC,
volume = "13",
number = "1",
pages = "5:1--5:??",
month = oct,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1609956.1609961",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:12 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "5",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Carminati:2009:EAC,
author = "Barbara Carminati and Elena Ferrari and Andrea
Perego",
title = "Enforcing access control in {Web}-based social
networks",
journal = j-TISSEC,
volume = "13",
number = "1",
pages = "6:1--6:??",
month = oct,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1609956.1609962",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:12 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "6",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Juels:2009:DSP,
author = "Ari Juels and Stephen A. Weis",
title = "Defining strong privacy for {RFID}",
journal = j-TISSEC,
volume = "13",
number = "1",
pages = "7:1--7:??",
month = oct,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1609956.1609963",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:12 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "7",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Zhu:2009:CAC,
author = "Ye Zhu and Riccardo Bettati",
title = "Compromising anonymous communication systems using
blind source separation",
journal = j-TISSEC,
volume = "13",
number = "1",
pages = "8:1--8:??",
month = oct,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1609956.1609964",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:12 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "8",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Sang:2009:ESP,
author = "Yingpeng Sang and Hong Shen",
title = "Efficient and secure protocols for privacy-preserving
set operations",
journal = j-TISSEC,
volume = "13",
number = "1",
pages = "9:1--9:??",
month = oct,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1609956.1609965",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:12 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "9",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Dorrendorf:2009:CRN,
author = "Leo Dorrendorf and Zvi Gutterman and Benny Pinkas",
title = "Cryptanalysis of the random number generator of the
{Windows} operating system",
journal = j-TISSEC,
volume = "13",
number = "1",
pages = "10:1--10:32",
month = oct,
year = "2009",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1609956.1609966",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:12 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The PseudoRandom Number Generator (PRNG) used by the
Windows operating system is the most commonly used
PRNG. The pseudorandomness of the output of this
generator is crucial for the security of almost any
application running in Windows. Nevertheless, its exact
algorithm was never published.\par
We examined the binary code of a distribution of
Windows 2000. This investigation was done without any
help from Microsoft.We reconstructed the algorithm used
by the pseudorandom number generator (namely, the
function CryptGenRandom). We analyzed the security of
the algorithm and found a nontrivial attack: Given the
internal state of the generator, the previous state can
be computed in 223 steps. This attack on forward
security demonstrates that the design of the generator
is flawed, since it is well known how to prevent such
attacks. After our analysis was published, Microsoft
acknowledged that Windows XP is vulnerable to the same
attack.\par
We also analyzed the way in which the generator is used
by the operating system and found that it amplifies the
effect of the attack: The generator is run in user mode
rather than in kernel mode; therefore, it is easy to
access its state even without administrator privileges.
The initial values of part of the state of the
generator are not set explicitly, but rather are
defined by whatever values are present on the stack
when the generator is called. Furthermore, each process
runs a different copy of the generator, and the state
of the generator is refreshed with system-generated
entropy only after generating 128KB of output for the
process running it. The result of combining this
observation with our attack is that learning a single
state may reveal 128KB of the past and future output of
the generator.\par
The implication of these findings is that a buffer
overflow attack or a similar attack can be used to
learn a single state of the generator, which can then
be used to predict all random values, such as SSL keys,
used by a process in all its past and future
operations. This attack is more severe and more
efficient than known attacks in which an attack",
acknowledgement = ack-nhfb,
articleno = "10",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{diVimercati:2010:GES,
author = "Sabrina de Capitani di Vimercati and Paul Syverson",
title = "Guest editorial: Special issue on computer and
communications security",
journal = j-TISSEC,
volume = "13",
number = "2",
pages = "11:1--11:??",
month = feb,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1698750.1698751",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "11",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Jiang:2010:SMD,
author = "Xuxian Jiang and Xinyuan Wang and Dongyan Xu",
title = "Stealthy malware detection and monitoring through
{VMM}-based ``out-of-the-box'' semantic view
reconstruction",
journal = j-TISSEC,
volume = "13",
number = "2",
pages = "12:1--12:??",
month = feb,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1698750.1698752",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "12",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Hopper:2010:HMA,
author = "Nicholas Hopper and Eugene Y. Vasserman and Eric
Chan-TIN",
title = "How much anonymity does network latency leak?",
journal = j-TISSEC,
volume = "13",
number = "2",
pages = "13:1--13:??",
month = feb,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1698750.1698753",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "13",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bisht:2010:CDC,
author = "Prithvi Bisht and P. Madhusudan and V. N.
Venkatakrishnan",
title = "{CANDID}: Dynamic candidate evaluations for automatic
prevention of {SQL} injection attacks",
journal = j-TISSEC,
volume = "13",
number = "2",
pages = "14:1--14:??",
month = feb,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1698750.1698754",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "14",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ponec:2010:NPA,
author = "Miroslav Ponec and Paul Giura and Joel Wein and
Herv{\'e} Br{\"o}nnimann",
title = "New payload attribution methods for network forensic
investigations",
journal = j-TISSEC,
volume = "13",
number = "2",
pages = "15:1--15:??",
month = feb,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1698750.1698755",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "15",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Moran:2010:SBV,
author = "Tal Moran and Moni Naor",
title = "Split-ballot voting: Everlasting privacy with
distributed trust",
journal = j-TISSEC,
volume = "13",
number = "2",
pages = "16:1--16:??",
month = feb,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1698750.1698756",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "16",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Lysyanskaya:2010:AEC,
author = "Anna Lysyanskaya and Roberto Tamassia and Nikos
Triandopoulos",
title = "Authenticated error-correcting codes with applications
to multicast authentication",
journal = j-TISSEC,
volume = "13",
number = "2",
pages = "17:1--17:??",
month = feb,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1698750.1698757",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "17",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Wang:2010:DVT,
author = "Xiaofeng Wang and Philippe Golle and Markus Jakobsson
and Alex Tsow",
title = "Deterring voluntary trace disclosure in re-encryption
mix-networks",
journal = j-TISSEC,
volume = "13",
number = "2",
pages = "18:1--18:??",
month = feb,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1698750.1698758",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Mar 16 10:18:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "18",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Biskup:2010:EE,
author = "Joachim Biskup and Javier Lopez",
title = "Editorial: {ESORICS 2007}",
journal = j-TISSEC,
volume = "13",
number = "3",
pages = "19:1--19:??",
month = jul,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1805974.1805975",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jul 28 14:57:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "19",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Becker:2010:LSM,
author = "Moritz Y. Becker and Sebastian Nanz",
title = "A logic for state-modifying authorization policies",
journal = j-TISSEC,
volume = "13",
number = "3",
pages = "20:1--20:??",
month = jul,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1805974.1805976",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jul 28 14:57:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Administering and maintaining access control systems
is a challenging task, especially in environments with
complex and changing authorization requirements. A
number of authorization logics have been proposed that
aim at simplifying access control by factoring the
authorization policy out of the hard-coded resource
guard. However, many policies require the authorization
state to be updated after a granted access request, for
example, to reflect the fact that a user has activated
or deactivated a role. Current authorization languages
cannot express such state modifications; these still
have to be hard-coded into the resource guard. We
present a logic for specifying policies where access
requests can have effects on the authorization state.
The logic is semantically defined by a mapping to
Transaction Logic. Using this approach, updates to the
state are factored out of the resource guard, thus
enhancing maintainability and facilitating more
expressive policies that take the history of access
requests into account. We also present a sound and
complete proof system for reasoning about sequences of
access requests. This gives rise to a goal-oriented
algorithm for finding minimal sequences that lead to a
specified target authorization state.",
acknowledgement = ack-nhfb,
articleno = "20",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "access control; Authorization; Hoare logic; policy",
}
@Article{Barthe:2010:SMP,
author = "Gilles Barthe and Tamara Rezk and Alejandro Russo and
Andrei Sabelfeld",
title = "Security of multithreaded programs by compilation",
journal = j-TISSEC,
volume = "13",
number = "3",
pages = "21:1--21:??",
month = jul,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1805974.1895977",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jul 28 14:57:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "End-to-End security of mobile code requires that the
code neither intentionally nor accidentally propagates
sensitive information to an adversary. Although mobile
code is commonly multithreaded low-level code, there
lack enforcement mechanisms that ensure information
security for such programs. The modularity is
three-fold: we give modular extensions of sequential
semantics, sequential security typing, and sequential
security-type preserving compilation that allow us
enforcing security for multithreaded programs. Thanks
to the modularity, there are no more restrictions on
multithreaded source programs than on sequential ones,
and yet we guarantee that their compilations are
provably secure for a wide class of schedulers.",
acknowledgement = ack-nhfb,
articleno = "21",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "compilers; Noninterference; schedulers; type systems",
}
@Article{Ciriani:2010:CFE,
author = "Valentina Ciriani and Sabrina {De Capitani Di
Vimercati} and Sara Foresti and Sushil Jajodia and
Stefano Paraboschi and Pierangela Samarati",
title = "Combining fragmentation and encryption to protect
privacy in data storage",
journal = j-TISSEC,
volume = "13",
number = "3",
pages = "22:1--22:??",
month = jul,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1805974.1805978",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jul 28 14:57:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The impact of privacy requirements in the development
of modern applications is increasing very quickly. Many
commercial and legal regulations are driving the need
to develop reliable solutions for protecting sensitive
information whenever it is stored, processed, or
communicated to external parties. To this purpose,
encryption techniques are currently used in many
scenarios where data protection is required since they
provide a layer of protection against the disclosure of
personal information, which safeguards companies from
the costs that may arise from exposing their data to
privacy breaches. However, dealing with encrypted data
may make query processing more expensive.\par
In this article, we address these issues by proposing a
solution to enforce the privacy of data collections
that combines data fragmentation with encryption. We
model privacy requirements as confidentiality
constraints expressing the sensitivity of attributes
and their associations. We then use encryption as an
underlying (conveniently available) measure for making
data unintelligible while exploiting fragmentation as a
way to break sensitive associations among attributes.
We formalize the problem of minimizing the impact of
fragmentation in terms of number of fragments and their
affinity and present two heuristic algorithms for
solving such problems. We also discuss experimental
results, comparing the solutions returned by our
heuristics with respect to optimal solutions, which
show that the heuristics, while guaranteeing a
polynomial-time computation cost are able to retrieve
solutions close to optimum.",
acknowledgement = ack-nhfb,
articleno = "22",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "encryption; fragmentation; Privacy",
}
@Article{Thuraisingham:2010:ES,
author = "Bhavani Thuraisingham",
title = "Editorial: {SACMAT 2007}",
journal = j-TISSEC,
volume = "13",
number = "3",
pages = "23:1--23:??",
month = jul,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1805974.1805979",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jul 28 14:57:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "23",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ni:2010:PAR,
author = "Qun Ni and Elisa Bertino and Jorge Lobo and Carolyn
Brodie and Clare-Marie Karat and John Karat and Alberto
Trombeta",
title = "Privacy-aware role-based access control",
journal = j-TISSEC,
volume = "13",
number = "3",
pages = "24:1--24:??",
month = jul,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1805974.1805980",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jul 28 14:57:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "In this article, we introduce a comprehensive
framework supporting a privacy-aware access control
mechanism, that is, a mechanism tailored to enforce
access control to data containing personally
identifiable information and, as such, privacy
sensitive. The key component of the framework is a
family of models (P-RBAC) that extend the well-known
RBAC model in order to provide full support for
expressing highly complex privacy-related policies,
taking into account features like purposes and
obligations. We formally define the notion of
privacy-aware permissions and the notion of conflicting
permission assignments in P-RBAC, together with
efficient conflict-checking algorithms. The framework
also includes a flexible authoring tool, based on the
use of the SPARCLE system, supporting the high-level
specification of P-RBAC permissions. SPARCLE supports
the use of natural language for authoring policies and
is able to automatically generate P-RBAC permissions
from these natural language specifications. In the
article, we also report performance evaluation results
and contrast our approach with other relevant access
control and privacy policy frameworks such as P3P,
EPAL, and XACML.",
acknowledgement = ack-nhfb,
articleno = "24",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "model; Privacy; purpose; Role-based access control",
}
@Article{Lee:2010:CDP,
author = "Adam J. Lee and Kazuhiro Minami and Marianne
Winslett",
title = "On the consistency of distributed proofs with hidden
subtrees",
journal = j-TISSEC,
volume = "13",
number = "3",
pages = "25:1--25:??",
month = jul,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1805974.1805981",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jul 28 14:57:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Previous work has shown that distributed authorization
systems that fail to sample a consistent snapshot of
the underlying system during policy evaluation are
vulnerable to a number of attacks. Unfortunately, the
consistency enforcement solutions presented in previous
work were designed for systems in which only
CA-certified evidence is used during the
decision-making process, all of which is available to
the decision-making node at runtime. In this article,
we generalize previous results and present light-weight
mechanisms through which consistency constraints can be
enforced in proof systems in which the full details of
a proof may be unavailable to the querier due to
information release policies, and the existence of
certificate authorities for certifying evidence is
unlikely; these types of distributed proof systems are
likely candidates for use in pervasive computing and
sensor network environments. We present modifications
to one such distributed proof system that enable three
types of consistency constraints to be enforced while
still respecting the same confidentiality and integrity
policies as the original proof system. We then discuss
how these techniques can be adapted and applied to
other, less restrictive, distributed proof systems.
Further, we detail a performance analysis that
illustrates the modest overheads of our consistency
enforcement schemes.",
acknowledgement = ack-nhfb,
articleno = "25",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "Consistency; distributed proving; pervasive
computing",
}
@Article{Hicks:2010:LSA,
author = "Boniface Hicks and Sandra Rueda and Luke {St. Clair}
and Trent Jaeger and Patrick McDaniel",
title = "A logical specification and analysis for {SELinux MLS}
policy",
journal = j-TISSEC,
volume = "13",
number = "3",
pages = "26:1--26:??",
month = jul,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1805874.1805982",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jul 28 14:57:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/linux.bib;
http://www.math.utah.edu/pub/tex/bib/tissec.bib;
http://www.math.utah.edu/pub/tex/bib/unix.bib",
abstract = "The SELinux mandatory access control (MAC) policy has
recently added a multilevel security (MLS) model which
is able to express a fine granularity of control over a
subject's access rights. The problem is that the
richness of the SELinux MLS model makes it impractical
to manually evaluate that a given policy meets certain
specific properties. To address this issue, we have
modeled the SELinux MLS model, using a logical
specification and implemented that specification in the
Prolog language. Furthermore, we have developed some
analyses for testing information flow properties of a
given policy as well as an algorithm to determine
whether one policy is compliant with another. We have
implemented these analyses in Prolog and compiled our
implementation into a tool for SELinux MLS policy
analysis, called PALMS. Using PALMS, we verified some
important properties of the SELinux MLS reference
policy, namely that it satisfies the simple security
condition and $\star$-property defined by Bell and
LaPadula. We also evaluated whether the policy
associated to a given application is compliant with the
policy of the SELinux system in which it would be
deployed.",
acknowledgement = ack-nhfb,
articleno = "26",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "multilevel security; policy analysis; policy
compliance; SELinux",
}
@Article{Vaidya:2010:RMP,
author = "Jaideep Vaidya and Vijayalakshmi Atluri and Qi Guo",
title = "The role mining problem: a formal perspective",
journal = j-TISSEC,
volume = "13",
number = "3",
pages = "27:1--27:??",
month = jul,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1805974.1895983",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jul 28 14:57:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Devising a complete and correct set of roles has been
recognized as one of the most important and challenging
tasks in implementing role-based access control. A key
problem related to this is the notion of
goodness/interestingness --- when is a role
good/interesting? In this article, we define the {\em
Role Mining Problem\/} (RMP) as the problem of
discovering an optimal set of roles from existing user
permissions. The main contribution of this article is
to formally define RMP and analyze its theoretical
bounds. In addition to the above basic RMP, we
introduce two different variations of the RMP, called
the {\em $\delta$-Approx RMP\/} and the {\em
minimal-noise RMP\/} that have pragmatic implications.
We reduce the known ``Set Basis Problem'' to RMP to
show that RMP is an NP-complete problem. An important
contribution of this article is also to show the
relation of the RMP to several problems already
identified in the data mining and data analysis
literature. By showing that the RMP is in essence
reducible to these known problems, we can directly
borrow the existing implementation solutions and guide
further research in this direction. We also develop a
heuristic solution based on the previously proposed
FastMiner algorithm, which is very accurate and
efficient.",
acknowledgement = ack-nhfb,
articleno = "27",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "RBAC; role engineering; role mining",
}
@Article{Carminati:2010:FEA,
author = "Barbara Carminati and Elena Ferrari and Jianneng Cao
and Kian Lee Tan",
title = "A framework to enforce access control over data
streams",
journal = j-TISSEC,
volume = "13",
number = "3",
pages = "28:1--28:??",
month = jul,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1805974.1805984",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jul 28 14:57:15 MDT 2010",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Although access control is currently a key component
of any computational system, it is only recently that
mechanisms to guard against unauthorized access to
streaming data have started to be investigated. To cope
with this lack, in this article, we propose a general
framework to protect streaming data, which is, as much
as possible, independent from the target stream engine.
Differently from RDBMSs, up to now a standard query
language for data streams has not yet emerged and this
makes the development of a general solution to access
control enforcement more difficult. The framework we
propose in this article is based on an expressive
role-based access control model proposed by us. It
exploits a query rewriting mechanism, which rewrites
user queries in such a way that they do not return
tuples/attributes that should not be accessed according
to the specified access control policies. Furthermore,
the framework contains a deployment module able to
translate the rewritten query in such a way that it can
be executed by different stream engines, therefore,
overcoming the lack of standardization. In the article,
besides presenting all the components of our framework,
we prove the correctness and completeness of the query
rewriting algorithm, and we present some experiments
that show the feasibility of the developed
techniques.",
acknowledgement = ack-nhfb,
articleno = "28",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
keywords = "access control; Data stream; secure query rewriting",
}
@Article{Kate:2010:PBO,
author = "Aniket Kate and Greg M. Zaverucha and Ian Goldberg",
title = "Pairing-Based Onion Routing with Improved Forward
Secrecy",
journal = j-TISSEC,
volume = "13",
number = "4",
pages = "29:1--29:??",
month = dec,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1880022.1880023",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jan 12 17:10:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "This article presents new protocols for onion routing
anonymity networks. We define a provably secure
privacy-preserving key agreement scheme in an
identity-based infrastructure setting, and use it to
design new onion routing circuit constructions. These
constructions, based on a user's selection, offer
immediate or eventual forward secrecy at each node in a
circuit and require significantly less computation and
communication than the telescoping mechanism used by
the Tor project. Further, the use of an identity-based
infrastructure also leads to a reduction in the
required amount of authenticated directory
information.",
acknowledgement = ack-nhfb,
articleno = "29",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Pennington:2010:SBI,
author = "Adam G. Pennington and John Linwood Griffin and John
S. Bucy and John D. Strunk and Gregory R. Ganger",
title = "Storage-Based Intrusion Detection",
journal = j-TISSEC,
volume = "13",
number = "4",
pages = "30:1--30:??",
month = dec,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1880022.1880024",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jan 12 17:10:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Storage-based intrusion detection consists of storage
systems watching for and identifying data access
patterns characteristic of system intrusions. Storage
systems can spot several common intruder actions, such
as adding backdoors, inserting Trojan horses, and
tampering with audit logs. For example, examination of
18 real intrusion tools reveals that most (15) can be
detected based on their changes to stored files.
Further, an Intrusion Detection System (IDS) embedded
in a storage device continues to operate even after
client operating systems are compromised. We describe
and evaluate a prototype storage IDS, built into a disk
emulator, to demonstrate both feasibility and
efficiency of storage-based intrusion detection.",
acknowledgement = ack-nhfb,
articleno = "30",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bobba:2010:ABM,
author = "Rakesh Bobba and Omid Fatemieh and Fariba Khan and
Arindam Khan and Carl A. Gunter and Himanshu Khurana
and Manoj Prabhakaran",
title = "Attribute-Based Messaging: Access Control and
Confidentiality",
journal = j-TISSEC,
volume = "13",
number = "4",
pages = "31:1--31:??",
month = dec,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1880022.1880025",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jan 12 17:10:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Attribute-Based Messaging (ABM) enables messages to be
addressed using attributes of recipients rather than an
explicit list of recipients. Such messaging offers
benefits of efficiency, exclusiveness, and
intensionality, but faces challenges in access control
and confidentiality. In this article we explore an
approach to intraenterprise ABM based on providing
access control and confidentiality using information
from the same attribute database exploited by the
addressing scheme. We show how to address three key
challenges. First, we demonstrate a manageable access
control system based on attributes. Second, we
demonstrate use of attribute-based encryption to
provide end-to-end confidentiality. Third, we show that
such a system can be efficient enough to support ABM
for mid-size enterprises.",
acknowledgement = ack-nhfb,
articleno = "31",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Li:2010:AIS,
author = "Feifei Li and Marios Hadjieleftheriou and George
Kollios and Leonid Reyzin",
title = "Authenticated Index Structures for Aggregation
Queries",
journal = j-TISSEC,
volume = "13",
number = "4",
pages = "32:1--32:??",
month = dec,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1880022.1880026",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jan 12 17:10:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Query authentication is an essential component in
Outsourced DataBase (ODB) systems. This article
introduces efficient index structures for
authenticating aggregation queries over large datasets.
First, we design an index that features good
performance characteristics for static environments.
Then, we propose more involved structures for the
dynamic case. Our structures feature excellent
performance for authenticating queries with multiple
aggregate attributes and multiple selection predicates.
Furthermore, our techniques cover a large number of
aggregate types, including distributive aggregates
(such as SUM, COUNT, MIN, and MAX), algebraic
aggregates (such as the AVG), and holistic aggregates
(such as MEDIAN and QUANTILE). We have also addressed
the issue of authenticating aggregation queries
efficiently when the database is encrypted to protect
data confidentiality.",
acknowledgement = ack-nhfb,
articleno = "32",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Sarkar:2010:SGC,
author = "Palash Sarkar",
title = "A Simple and Generic Construction of Authenticated
Encryption with Associated Data",
journal = j-TISSEC,
volume = "13",
number = "4",
pages = "33:1--33:??",
month = dec,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1880022.1880027",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jan 12 17:10:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We revisit the problem of constructing a protocol for
performing Authenticated Encryption with Associated
Data (AEAD). A technique is described which combines a
collision-resistant hash function with a protocol for
Authenticated Encryption (AE). The technique is both
simple and generic and does not require any additional
key material beyond that of the AE protocol. Concrete
instantiations are shown where a 256-bit hash function
is combined with some known single-pass AE protocols
employing either 128-bit or 256-bit block ciphers. This
results in possible efficiency improvement in the
processing of the header.",
acknowledgement = ack-nhfb,
articleno = "33",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Schultz:2010:MMP,
author = "David Schultz and Barbara Liskov and Moses Liskov",
title = "{MPSS}: {Mobile Proactive Secret Sharing}",
journal = j-TISSEC,
volume = "13",
number = "4",
pages = "34:1--34:??",
month = dec,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1880022.1880028",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jan 12 17:10:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "This article describes MPSS, a new way to do proactive
secret sharing. MPSS provides mobility: The group of
nodes holding the shares of the secret can change at
each resharing, which is essential in a long-lived
system. MPSS additionally allows the number of
tolerated faulty shareholders to change when the secret
is moved so that the system can tolerate more (or
fewer) corruptions; this allows reconfiguration
on-the-fly to accommodate changes in the environment.
MPSS includes an efficient protocol that is intended to
be used in practice. The protocol is optimized for the
common case of no or few failures, but degradation when
there are more failures is modest.",
acknowledgement = ack-nhfb,
articleno = "34",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Wright:2010:USP,
author = "Charles V. Wright and Lucas Ballard and Scott E. Coull
and Fabian Monrose and Gerald M. Masson",
title = "Uncovering Spoken Phrases in Encrypted Voice over {IP}
Conversations",
journal = j-TISSEC,
volume = "13",
number = "4",
pages = "35:1--35:??",
month = dec,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1880022.1880029",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jan 12 17:10:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Although Voice over IP (VoIP) is rapidly being
adopted, its security implications are not yet fully
understood. Since VoIP calls may traverse untrusted
networks, packets should be encrypted to ensure
confidentiality. However, we show that it is possible
to identify the phrases spoken within encrypted VoIP
calls when the audio is encoded using variable bit rate
codecs. To do so, we train a hidden Markov model using
only knowledge of the phonetic pronunciations of words,
such as those provided by a dictionary, and search
packet sequences for instances of specified phrases.
Our approach does not require examples of the speaker's
voice, or even example recordings of the words that
make up the target phrase. We evaluate our techniques
on a standard speech recognition corpus containing over
2,000 phonetically rich phrases spoken by 630 distinct
speakers from across the continental United States. Our
results indicate that we can identify phrases within
encrypted calls with an average accuracy of 50\%, and
with accuracy greater than 90\% for some phrases.
Clearly, such an attack calls into question the
efficacy of current VoIP encryption standards. In
addition, we examine the impact of various features of
the underlying audio on our performance and discuss
methods for mitigation.",
acknowledgement = ack-nhfb,
articleno = "35",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Molloy:2010:MRM,
author = "Ian Molloy and Hong Chen and Tiancheng Li and Qihua
Wang and Ninghui Li and Elisa Bertino and Seraphin Calo
and Jorge Lobo",
title = "Mining Roles with Multiple Objectives",
journal = j-TISSEC,
volume = "13",
number = "4",
pages = "36:1--36:??",
month = dec,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1880022.1880030",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jan 12 17:10:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "With the growing adoption of Role-Based Access Control
(RBAC) in commercial security and identity management
products, how to facilitate the process of migrating a
non-RBAC system to an RBAC system has become a problem
with significant business impact. Researchers have
proposed to use data mining techniques to discover
roles to complement the costly top-down approaches for
RBAC system construction. An important problem is how
to construct RBAC systems with low complexity. In this
article, we define the notion of weighted structural
complexity measure and propose a role mining algorithm
that mines RBAC systems with low structural complexity.
Another key problem that has not been adequately
addressed by existing role mining approaches is how to
discover roles with semantic meanings.",
acknowledgement = ack-nhfb,
articleno = "36",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Libert:2010:KES,
author = "Beno{\^\i}t Libert and Jean-Jacques Quisquater and
Moti Yung",
title = "Key Evolution Systems in Untrusted Update
Environments",
journal = j-TISSEC,
volume = "13",
number = "4",
pages = "37:1--37:??",
month = dec,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1880022.1880031",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jan 12 17:10:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Forward-Secure Signatures (FSS) prevent forgeries for
past time periods when an attacker obtains full access
to the signer's storage by evolving the private key in
a one-way fashion. To simplify the integration of these
primitives into standard security architectures, Boyen
et al. [2006] recently introduced the concept of
forward-secure signatures with untrusted updates where
private keys are additionally protected by a second
factor (derived from a password). Key updates can be
made on encrypted version of signing keys so that
passwords only come into play for signing messages and
not at update time (since update is not user-driven).
The scheme put forth by Boyen et al.",
acknowledgement = ack-nhfb,
articleno = "37",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Zage:2010:RDV,
author = "David Zage and Cristina Nita-Rotaru",
title = "Robust Decentralized Virtual Coordinate Systems in
Adversarial Environments",
journal = j-TISSEC,
volume = "13",
number = "4",
pages = "38:1--38:??",
month = dec,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1880022.1880032",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jan 12 17:10:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Virtual coordinate systems provide an accurate and
efficient service that allows hosts on the Internet to
determine the latency to arbitrary hosts without
actively monitoring all of the nodes in the network.
Many of the proposed systems were designed with the
assumption that all of the nodes are altruistic.
However, this assumption may be violated by compromised
nodes acting maliciously to degrade the accuracy of the
coordinate system. As numerous peer-to-peer
applications come to rely on virtual coordinate systems
to achieve good performance, it is critical to address
the security of such systems. In this work, we
demonstrate the vulnerability of decentralized virtual
coordinate systems to insider (or Byzantine) attacks.",
acknowledgement = ack-nhfb,
articleno = "38",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Tsang:2010:BRR,
author = "Patrick P. Tsang and Man Ho Au and Apu Kapadia and
Sean W. Smith",
title = "{BLAC}: Revoking Repeatedly Misbehaving Anonymous
Users without Relying on {TTPs}",
journal = j-TISSEC,
volume = "13",
number = "4",
pages = "39:1--39:??",
month = dec,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1880022.1880033",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jan 12 17:10:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Several credential systems have been proposed in which
users can authenticate to service providers
anonymously. Since anonymity can give users the license
to misbehave, some variants allow the selective
deanonymization (or linking) of misbehaving users upon
a complaint to a Trusted Third Party (TTP). The ability
of the TTP to revoke a user's privacy at any time,
however, is too strong a punishment for misbehavior. To
limit the scope of deanonymization, some systems have
been proposed in which users can be deanonymized only
if they authenticate ``too many times,'' such as
``double spending'' with electronic cash. While useful
in some applications, such techniques cannot be
generalized to more subjective definitions of
misbehavior, for example, using such schemes it is not
possible to block anonymous users who ``deface too many
Web pages'' on a Web site.",
acknowledgement = ack-nhfb,
articleno = "39",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Wang:2010:SRW,
author = "Qihua Wang and Ninghui Li",
title = "Satisfiability and Resiliency in Workflow
Authorization Systems",
journal = j-TISSEC,
volume = "13",
number = "4",
pages = "40:1--40:??",
month = dec,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1880022.1880034",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jan 12 17:10:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We propose the role-and-relation-based access control
(R2BAC) model for workflow authorization systems. In
R2BAC, in addition to a user's role memberships, the
user's relationships with other users help determine
whether the user is allowed to perform a certain step
in a workflow. For example, a constraint may require
that two steps must not be performed by users who have
conflicts of interests. We study computational
complexity of the workflow satisfiability problem,
which asks whether a set of users can complete a
workflow. In particular, we apply tools from
parameterized complexity theory to better understand
the complexities of this problem. Furthermore, we
reduce the workflow satisfiability problem to SAT and
apply SAT solvers to address the problem.",
acknowledgement = ack-nhfb,
articleno = "40",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Mukhamedov:2010:IEP,
author = "Aybek Mukhamedov and Mark D. Ryan",
title = "Identity Escrow Protocol and Anonymity Analysis in the
Applied Pi-Calculus",
journal = j-TISSEC,
volume = "13",
number = "4",
pages = "41:1--41:??",
month = dec,
year = "2010",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1880022.1880035",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jan 12 17:10:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Anonymity with identity escrow attempts to allow users
of an online service to remain anonymous, while
providing the possibility that the service owner can
break the anonymity in exceptional circumstances, such
as to assist in a criminal investigation. In the
article, we propose an identity escrow protocol that
distributes user identity among several escrow agents.
The main feature of our scheme is it is based on
standard encryption algorithms and it provides user
anonymity even if all but one escrow holders are
dishonest acting in a coalition. We also present
analysis of the anonymity property of our protocol in
the applied pi-calculus.",
acknowledgement = ack-nhfb,
articleno = "41",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Li:2011:ISS,
author = "Ninghui Li",
title = "Introduction to special section {SACMAT'08}",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "1:1--1:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952983",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "1",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bauer:2011:DRP,
author = "Lujo Bauer and Scott Garriss and Michael K. Reiter",
title = "Detecting and resolving policy misconfigurations in
access-control systems",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "2:1--2:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952984",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Access-control policy misconfigurations that cause
requests to be erroneously denied can result in wasted
time, user frustration, and, in the context of
particular applications (e.g., health care), very
severe consequences. In this article we apply
association rule mining to the history of accesses to
predict changes to access-control policies that are
likely to be consistent with users' intentions, so that
these changes can be instituted in advance of
misconfigurations interfering with legitimate accesses.
Instituting these changes requires the consent of the
appropriate administrator, of course, and so a primary
contribution of our work is how to automatically
determine from whom to seek consent and how to minimize
the costs of doing so.",
acknowledgement = ack-nhfb,
articleno = "2",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Wei:2011:ARH,
author = "Qiang Wei and Jason Crampton and Konstantin Beznosov
and Matei Ripeanu",
title = "Authorization recycling in hierarchical {RBAC}
systems",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "3:1--3:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952985",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "As distributed applications increase in size and
complexity, traditional authorization architectures
based on a dedicated authorization server become
increasingly fragile because this decision point
represents a single point of failure and a performance
bottleneck. Authorization caching, which enables the
reuse of previous authorization decisions, is one
technique that has been used to address these
challenges. This article introduces and evaluates the
mechanisms for authorization ``recycling'' in RBAC
enterprise systems. The algorithms that support these
mechanisms allow making precise and approximate
authorization decisions, thereby masking possible
failures of the authorization server and reducing its
load. We evaluate these algorithms analytically as well
as using simulation and a prototype implementation.",
acknowledgement = ack-nhfb,
articleno = "3",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bohli:2011:RAP,
author = "Jens-Matthias Bohli and Andreas Pashalidis",
title = "Relations among privacy notions",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "4:1--4:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952986",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "This article presents a hierarchy of privacy notions
that covers multiple anonymity and unlinkability
variants. The underlying definitions, which are based
on the idea of indistinguishability between two worlds,
provide new insights into the relation between, and the
fundamental structure of, different privacy notions. We
furthermore place previous privacy definitions
concerning group signature, anonymous communication,
and secret voting systems in the context of our
hierarchy; this renders these traditionally
disconnected notions comparable.",
acknowledgement = ack-nhfb,
articleno = "4",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Oligeri:2011:REA,
author = "Gabriele Oligeri and Stefano Chessa and Roberto {Di
Pietro} and Gaetano Giunta",
title = "Robust and efficient authentication of video stream
broadcasting",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "5:1--5:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952987",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We present a novel video stream authentication scheme
which combines signature amortization by means of hash
chains and an advanced watermarking technique. We
propose a new hash chain construction, the Duplex Hash
Chain, which allows us to achieve bit-by-bit
authentication that is robust to low bit error rates.
This construction is well suited for wireless broadcast
communications characterized by low packet losses such
as in satellite networks. Moreover, neither hardware
upgrades nor specific end-user equipment are needed to
enjoy the authentication services. The computation
overhead experienced on the receiver only sums to two
hashes per block of pictures and one digital signature
verification for the whole received stream.",
acknowledgement = ack-nhfb,
articleno = "5",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Demsky:2011:CAD,
author = "Brian Demsky",
title = "Cross-application data provenance and policy
enforcement",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "6:1--6:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952988",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We present a new technique that can trace data
provenance and enforce data access policies across
multiple applications and machines. We have developed
Garm, a tool that uses binary rewriting to implement
this technique on arbitrary binaries. Users can use
Garm to attach access policies to data and Garm
enforces the policy on all accesses to the data (and
any derived data) across all applications and
executions. Garm uses static analysis to generate
optimized instrumentation that traces the provenance of
an application's state and the policies that apply to
this state. Garm monitors the interactions of the
application with the underlying operating system to
enforce policies.",
acknowledgement = ack-nhfb,
articleno = "6",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Dong:2011:PDA,
author = "Jing Dong and Reza Curtmola and Cristina
Nita-Rotaru",
title = "Practical defenses against pollution attacks in
wireless network coding",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "7:1--7:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952989",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Recent studies have shown that network coding can
provide significant benefits to network protocols, such
as increased throughput, reduced network congestion,
higher reliability, and lower power consumption. The
core principle of network coding is that intermediate
nodes actively mix input packets to produce output
packets. This mixing subjects network coding systems to
a severe security threat, known as a pollution attack,
where attacker nodes inject corrupted packets into the
network. Corrupted packets propagate in an epidemic
manner, depleting network resources and significantly
decreasing throughput. Pollution attacks are
particularly dangerous in wireless networks, where
attackers can easily inject packets or compromise
devices due to the increased network vulnerability.",
acknowledgement = ack-nhfb,
articleno = "7",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Schneider:2011:NAL,
author = "Fred B. Schneider and Kevin Walsh and Emin G{\"u}n
Sirer",
title = "{Nexus Authorization Logic (NAL)}: Design rationale
and applications",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "8:1--8:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952990",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Nexus Authorization Logic (NAL) provides a principled
basis for specifying and reasoning about credentials
and authorization policies. It extends prior access
control logics that are based on ``says'' and ``speaks
for'' operators. NAL enables authorization of access
requests to depend on (i) the source or pedigree of the
requester, (ii) the outcome of any mechanized analysis
of the requester, or (iii) the use of trusted software
to encapsulate or modify the requester. To illustrate
the convenience and expressive power of this approach
to authorization, a suite of document-viewer
applications was implemented to run on the Nexus
operating system.",
acknowledgement = ack-nhfb,
articleno = "8",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bruns:2011:ACB,
author = "Glenn Bruns and Michael Huth",
title = "Access control via {Belnap} logic: Intuitive,
expressive, and analyzable policy composition",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "9:1--9:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952991",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Access control to IT systems increasingly relies on
the ability to compose policies. Hence there is benefit
in any framework for policy composition that is
intuitive, formal (and so ``analyzable'' and
``implementable''), expressive, independent of specific
application domains, and yet able to be extended to
create domain-specific instances. Here we develop such
a framework based on Belnap logic. An access-control
policy is interpreted as a four-valued predicate that
maps access requests to either grant, deny, conflict,
or unspecified -- the four values of the Belnap
bilattice. We define an expressive access-control
policy language PBel, having composition operators
based on the operators of Belnap logic.",
acknowledgement = ack-nhfb,
articleno = "9",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Coull:2011:ACO,
author = "Scott E. Coull and Matthew Green and Susan
Hohenberger",
title = "Access controls for oblivious and anonymous systems",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "10:1--10:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952992",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The use of privacy-enhancing cryptographic protocols,
such as anonymous credentials and oblivious transfer,
could have a detrimental effect on the ability of
providers to effectively implement access controls on
their content. In this article, we propose a stateful
anonymous credential system that allows the provider to
implement nontrivial, real-world access controls on
oblivious protocols conducted with anonymous users. Our
system models the behavior of users as a state machine
and embeds that state within an anonymous credential to
restrict access to resources based on the state
information. The use of state machine models of user
behavior allows the provider to restrict the users'
actions according to a wide variety of access control
models without learning anything about the users'
identities or actions.",
acknowledgement = ack-nhfb,
articleno = "10",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Burmester:2011:LRA,
author = "Mike Burmester and Jorge Munilla",
title = "Lightweight {RFID} authentication with forward and
backward security",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "11:1--11:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952993",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We propose a lightweight RFID authentication protocol
that supports forward and backward security. The only
cryptographic mechanism that this protocol uses is a
pseudorandom number generator (PRNG) that is shared
with the backend Server. Authentication is achieved by
exchanging a few numbers (3 or 5) drawn from the PRNG.
The lookup time is constant, and the protocol can be
easily adapted to prevent online man-in-the-middle
relay attacks. Security is proven in the UC security
framework.",
acknowledgement = ack-nhfb,
articleno = "11",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ateniese:2011:RDC,
author = "Giuseppe Ateniese and Randal Burns and Reza Curtmola
and Joseph Herring and Osama Khan and Lea Kissner and
Zachary Peterson and Dawn Song",
title = "Remote data checking using provable data possession",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "12:1--12:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952994",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We introduce a model for provable data possession
(PDP) that can be used for remote data checking: A
client that has stored data at an untrusted server can
verify that the server possesses the original data
without retrieving it. The model generates
probabilistic proofs of possession by sampling random
sets of blocks from the server, which drastically
reduces I/O costs. The client maintains a constant
amount of metadata to verify the proof. The
challenge/response protocol transmits a small, constant
amount of data, which minimizes network communication.
Thus, the PDP model for remote data checking is
lightweight and supports large data sets in distributed
storage systems.",
acknowledgement = ack-nhfb,
articleno = "12",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Liu:2011:FDI,
author = "Yao Liu and Peng Ning and Michael K. Reiter",
title = "False data injection attacks against state estimation
in electric power grids",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "13:1--13:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952995",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "A power grid is a complex system connecting electric
power generators to consumers through power
transmission and distribution networks across a large
geographical area. System monitoring is necessary to
ensure the reliable operation of power grids, and state
estimation is used in system monitoring to best
estimate the power grid state through analysis of meter
measurements and power system models. Various
techniques have been developed to detect and identify
bad measurements, including interacting bad
measurements introduced by arbitrary, nonrandom causes.
At first glance, it seems that these techniques can
also defeat malicious measurements injected by
attackers. In this article, we expose an unknown
vulnerability of existing bad measurement detection
algorithms by presenting and analyzing a new class of
attacks, called false data injection attacks, against
state estimation in electric power grids.",
acknowledgement = ack-nhfb,
articleno = "13",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Crampton:2011:PEC,
author = "Jason Crampton",
title = "Practical and efficient cryptographic enforcement of
interval-based access control policies",
journal = j-TISSEC,
volume = "14",
number = "1",
pages = "14:1--14:??",
month = may,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/1952982.1952996",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Jun 2 07:27:23 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The enforcement of access control policies using
cryptography has received considerable attention in
recent years and the security of such enforcement
schemes is increasingly well understood. Recent work in
the area has considered the efficient enforcement of
temporal and geo-spatial access control policies, and
asymptotic results for the time and space complexity of
efficient enforcement schemes have been obtained.
However, for practical purposes, it is useful to have
explicit bounds for the complexity of enforcement
schemes. In this article we consider interval-based
access control policies, of which temporal and
geo-spatial access control policies are special cases.
We define enforcement schemes for interval-based access
control policies for which it is possible, in almost
all cases, to obtain exact values for the schemes'
complexity, thereby subsuming a substantial body of
work in the literature.",
acknowledgement = ack-nhfb,
articleno = "14",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Wang:2011:CAF,
author = "Tielei Wang and Tao Wei and Guofei Gu and Wei Zou",
title = "Checksum-Aware Fuzzing Combined with Dynamic Taint
Analysis and Symbolic Execution",
journal = j-TISSEC,
volume = "14",
number = "2",
pages = "15:1--15:??",
month = sep,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2019599.2019600",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Oct 22 08:53:59 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "15",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Basin:2011:FRA,
author = "David Basin and Srdjan Capkun and Patrick Schaller and
Benedikt Schmidt",
title = "Formal Reasoning about Physical Properties of Security
Protocols",
journal = j-TISSEC,
volume = "14",
number = "2",
pages = "16:1--16:??",
month = sep,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2019599.2019601",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Oct 22 08:53:59 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "16",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Crosby:2011:ADR,
author = "Scott A. Crosby and Dan S. Wallach",
title = "Authenticated Dictionaries: Real-World Costs and
Trade-Offs",
journal = j-TISSEC,
volume = "14",
number = "2",
pages = "17:1--17:??",
month = sep,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2019599.2019602",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Oct 22 08:53:59 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "17",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Appel:2011:SSV,
author = "Andrew W. Appel",
title = "Security Seals on Voting Machines: a Case Study",
journal = j-TISSEC,
volume = "14",
number = "2",
pages = "18:1--18:??",
month = sep,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2019599.2019603",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Oct 22 08:53:59 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "18",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Schreuders:2011:EEU,
author = "Z. Cliffe Schreuders and Tanya McGill and Christian
Payne",
title = "Empowering End Users to Confine Their Own
Applications: The Results of a Usability Study
Comparing {SELinux}, {AppArmor}, and {FBAC-LSM}",
journal = j-TISSEC,
volume = "14",
number = "2",
pages = "19:1--19:??",
month = sep,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2019599.2019604",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Oct 22 08:53:59 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "19",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Williams:2011:POO,
author = "Peter Williams and Radu Sion and Miroslava Sotakova",
title = "Practical Oblivious Outsourced Storage",
journal = j-TISSEC,
volume = "14",
number = "2",
pages = "20:1--20:??",
month = sep,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2019599.2019605",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Oct 22 08:53:59 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "20",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Xiang:2011:CFR,
author = "Guang Xiang and Jason Hong and Carolyn P. Rose and
Lorrie Cranor",
title = "{CANTINA+}: a Feature-Rich Machine Learning Framework
for Detecting Phishing {Web} Sites",
journal = j-TISSEC,
volume = "14",
number = "2",
pages = "21:1--21:??",
month = sep,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2019599.2019606",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Oct 22 08:53:59 MDT 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "21",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Joshi:2011:GES,
author = "James Joshi and Barbara Carminati",
title = "Guest Editorial: {SACMAT 2009} and 2010",
journal = j-TISSEC,
volume = "14",
number = "3",
pages = "22:1--22:??",
month = nov,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2043621.2043622",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Dec 15 09:12:37 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "22",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Krishnan:2011:GCS,
author = "Ram Krishnan and Jianwei Niu and Ravi Sandhu and
William H. Winsborough",
title = "Group-Centric Secure Information-Sharing Models for
Isolated Groups",
journal = j-TISSEC,
volume = "14",
number = "3",
pages = "23:1--23:??",
month = nov,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2043621.2043623",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Dec 15 09:12:37 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Group-Centric Secure Information Sharing (g-SIS)
envisions bringing users and objects together in a
group to facilitate agile sharing of information
brought in from external sources as well as creation of
new information within the group. We expect g-SIS to be
orthogonal and complementary to authorization systems
deployed within participating organizations. The
metaphors ``secure meeting room'' and ``subscription
service'' characterize the g-SIS approach. The focus of
this article is on developing the foundations of
isolated g-SIS models. Groups are isolated in the sense
that membership of a user or an object in a group does
not affect their authorizations in other groups.",
acknowledgement = ack-nhfb,
articleno = "23",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Mao:2011:CDP,
author = "Ziqing Mao and Ninghui Li and Hong Chen and Xuxian
Jiang",
title = "Combining Discretionary Policy with Mandatory
Information Flow in Operating Systems",
journal = j-TISSEC,
volume = "14",
number = "3",
pages = "24:1--24:??",
month = nov,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2043621.2043624",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Dec 15 09:12:37 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Discretionary Access Control (DAC) is the primary
access control mechanism in today's major operating
systems. It is, however, vulnerable to Trojan Horse
attacks and attacks exploiting buggy software. We
propose to combine the discretionary policy in DAC with
the dynamic information flow techniques in MAC,
therefore achieving the best of both worlds, that is,
the DAC's easy-to-use discretionary policy
specification and MAC's defense against threats caused
by Trojan Horses and buggy programs. We propose the
Information Flow Enhanced Discretionary Access Control
(IFEDAC) model that implements this design philosophy.
We describe our design of IFEDAC, and discuss its
relationship with the Usable Mandatory Integrity
Protection (UMIP) model proposed earlier by us.",
acknowledgement = ack-nhfb,
articleno = "24",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Leighton:2011:ACP,
author = "Gregory Leighton and Denilson Barbosa",
title = "Access Control Policy Translation, Verification, and
Minimization within Heterogeneous Data Federations",
journal = j-TISSEC,
volume = "14",
number = "3",
pages = "25:1--25:??",
month = nov,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2043621.2043625",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Dec 15 09:12:37 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Data federations provide seamless access to multiple
heterogeneous and autonomous data sources pertaining to
a large organization. As each source database defines
its own access control policies for a set of local
identities, enforcing such policies across the
federation becomes a challenge. In this article, we
first consider the problem of translating existing
access control policies defined over source databases
in a manner that allows the original semantics to be
observed while becoming applicable across the entire
data federation. We show that such a translation is
always possible, and provide an algorithm for
automating the translation. We show that verifying
whether a translated policy obeys the semantics of the
original access control policy defined over a source
database is intractable, even under restrictive
scenarios.",
acknowledgement = ack-nhfb,
articleno = "25",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Chan:2011:PCR,
author = "T.-H. Hubert Chan and Elaine Shi and Dawn Song",
title = "Private and Continual Release of Statistics",
journal = j-TISSEC,
volume = "14",
number = "3",
pages = "26:1--26:??",
month = nov,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2043621.2043626",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Dec 15 09:12:37 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We ask the question: how can Web sites and data
aggregators continually release updated statistics, and
meanwhile preserve each individual user's privacy?
Suppose we are given a stream of 0's and 1's. We
propose a differentially private continual counter that
outputs at every time step the approximate number of
1's seen thus far. Our counter construction has error
that is only poly-log in the number of time steps. We
can extend the basic counter construction to allow Web
sites to continually give top-k and hot items
suggestions while preserving users' privacy.",
acknowledgement = ack-nhfb,
articleno = "26",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Chan-Tin:2011:FBA,
author = "Eric Chan-Tin and Victor Heorhiadi and Nicholas Hopper
and Yongdae Kim",
title = "The {Frog-Boiling} Attack: Limitations of Secure
Network Coordinate Systems",
journal = j-TISSEC,
volume = "14",
number = "3",
pages = "27:1--27:??",
month = nov,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2043621.2043627",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Dec 15 09:12:37 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "A network coordinate system assigns Euclidean
``virtual'' coordinates to every node in a network to
allow easy estimation of network latency between pairs
of nodes that have never contacted each other. These
systems have been implemented in a variety of
applications, most notably the popular Vuze BitTorrent
client. Zage and Nita-Rotaru (at CCS 2007) and
independently, Kaafar et al. (at SIGCOMM 2007),
demonstrated that several widely-cited network
coordinate systems are prone to simple attacks, and
proposed mechanisms to defeat these attacks using
outlier detection to filter out adversarial inputs.
Kaafar et al. goes a step further and requires that a
fraction of the network is trusted. More recently,
Sherr et al. (at USENIX ATC 2009) proposed Veracity, a
distributed reputation system to secure network
coordinate systems. We describe a new attack on network
coordinate systems, Frog-Boiling, that defeats all of
these defenses. Thus, even a system with trusted
entities is still vulnerable to attacks. Moreover,
having witnesses vouch for your coordinates as in
Veracity does not prevent our attack. Finally, we
demonstrate empirically that the Frog-Boiling attack is
more disruptive than the previously known attacks:
systems that attempt to reject ``bad'' inputs by
statistical means or reputation cannot be used to
secure a network coordinate system.",
acknowledgement = ack-nhfb,
articleno = "27",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Gorantla:2011:MKC,
author = "M. C. Gorantla and Colin Boyd and Juan Manuel
Gonz{\'a}lez Nieto and Mark Manulis",
title = "Modeling key compromise impersonation attacks on group
key exchange protocols",
journal = j-TISSEC,
volume = "14",
number = "4",
pages = "28:1--28:??",
month = dec,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2043628.2043629",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Dec 22 18:15:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Two-party key exchange (2PKE) protocols have been
rigorously analyzed under various models considering
different adversarial actions. However, the analysis of
group key exchange (GKE) protocols has not been as
extensive as that of 2PKE protocols. Particularly, an
important security attribute called key compromise
impersonation (KCI) resilience has been completely
ignored for the case of GKE protocols. Informally, a
protocol is said to provide KCI resilience if the
compromise of the long-term secret key of a protocol
participant A does not allow the adversary to
impersonate an honest participant B to A. In this
paper, we argue that KCI resilience for GKE protocols
is at least as important as it is for 2PKE protocols.",
acknowledgement = ack-nhfb,
articleno = "28",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Au:2011:PPT,
author = "M. Ho Au and P. P. Tsang and A. Kapadia",
title = "{PEREA}: Practical {TTP}-free revocation of repeatedly
misbehaving anonymous users",
journal = j-TISSEC,
volume = "14",
number = "4",
pages = "29:1--29:??",
month = dec,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2043628.2043630",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Dec 22 18:15:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Several anonymous authentication schemes allow servers
to revoke a misbehaving user's ability to make future
accesses. Traditionally, these schemes have relied on
powerful Trusted Third Parties (TTPs) capable of
deanonymizing (or linking) users' connections. Such
TTPs are undesirable because users' anonymity is not
guaranteed, and users must trust them to judge
misbehaviors fairly. Recent schemes such as
Blacklistable Anonymous Credentials (BLAC) and Enhanced
Privacy ID (EPID) support ``privacy-enhanced
revocation''--- servers can revoke misbehaving users
without a TTP's involvement, and without learning the
revoked users' identities. In BLAC and EPID, however,
the computation required for authentication at the
server is linear in the size (L) of the revocation
list, which is impractical as the size approaches
thousands of entries.",
acknowledgement = ack-nhfb,
articleno = "29",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Li:2011:TRP,
author = "Yingjiu Li and Robert H. Deng and Junzuo Lai and
Changshe Ma",
title = "On two {RFID} privacy notions and their relations",
journal = j-TISSEC,
volume = "14",
number = "4",
pages = "30:1--30:??",
month = dec,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2043628.2043631",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Dec 22 18:15:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Privacy of RFID systems is receiving increasing
attention in the RFID community. Basically, there are
two kinds of RFID privacy notions in the literature:
one based on the indistinguishability of two tags,
denoted as ind-privacy, and the other based on the
unpredictability of the output of an RFID protocol,
denoted as unp-privacy. In this article, we first
revisit the existing unpredictability-based RFID
privacy models and point out their limitations. We then
propose a new RFID privacy model, denoted as
unp*-privacy, based on the indistinguishability of a
real tag and a virtual tag. We formally clarify its
relationship with the ind-privacy model.",
acknowledgement = ack-nhfb,
articleno = "30",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Burkhart:2011:PPD,
author = "Martin Burkhart and Xenofontas Dimitropoulos",
title = "Privacy-preserving distributed network
troubleshooting---bridging the gap between theory and
practice",
journal = j-TISSEC,
volume = "14",
number = "4",
pages = "31:1--31:??",
month = dec,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2043628.2043632",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Dec 22 18:15:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Today, there is a fundamental imbalance in
cybersecurity. While attackers act more and more
globally and coordinated, network defense is limited to
examine local information only due to privacy concerns.
To overcome this privacy barrier, we use secure
multiparty computation (MPC) for the problem of
aggregating network data from multiple domains. We
first optimize MPC comparison operations for processing
high volume data in near real-time by not enforcing
protocols to run in a constant number of
synchronization rounds. We then implement a complete
set of basic MPC primitives in the SEPIA library. For
parallel invocations, SEPIA's basic operations are
between 35 and several hundred times faster than those
of comparable MPC frameworks.",
acknowledgement = ack-nhfb,
articleno = "31",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bethea:2011:SSV,
author = "Darrell Bethea and Robert A. Cochran and Michael K.
Reiter",
title = "Server-side verification of client behavior in online
games",
journal = j-TISSEC,
volume = "14",
number = "4",
pages = "32:1--32:??",
month = dec,
year = "2011",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2043628.2043633",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Dec 22 18:15:07 MST 2011",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Online gaming is a lucrative and growing industry but
one that is slowed by cheating that compromises the
gaming experience and hence drives away players (and
revenue). In this paper we develop a technique by which
game developers can enable game operators to validate
the behavior of game clients as being consistent with
valid execution of the sanctioned client software. Our
technique employs symbolic execution of the client
software to extract constraints on client-side state
implied by each client-to-server message, and then uses
constraint solving to determine whether the sequence of
client-to-server messages can be ``explained'' by any
possible user inputs, in light of the server-to-client
messages already received.",
acknowledgement = ack-nhfb,
articleno = "32",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Syverson:2012:GES,
author = "Paul Syverson and Somesh Jha",
title = "Guest Editorial: Special Issue on Computer and
Communications Security",
journal = j-TISSEC,
volume = "15",
number = "1",
pages = "1:1--1:??",
month = mar,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2133375.2133376",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Mar 24 09:45:43 MDT 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
acknowledgement = ack-nhfb,
articleno = "1",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Roemer:2012:ROP,
author = "Ryan Roemer and Erik Buchanan and Hovav Shacham and
Stefan Savage",
title = "Return-Oriented Programming: Systems, Languages, and
Applications",
journal = j-TISSEC,
volume = "15",
number = "1",
pages = "2:1--2:??",
month = mar,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2133375.2133377",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Mar 24 09:45:43 MDT 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We introduce return-oriented programming, a technique
by which an attacker can induce arbitrary behavior in a
program whose control flow he has diverted, without
injecting any code. A return-oriented program chains
together short instruction sequences already present in
a program's address space, each of which ends in a
``return'' instruction. Return-oriented programming
defeats the $W \oplus X$ protections recently deployed
by Microsoft, Intel, and AMD; in this context, it can
be seen as a generalization of traditional
return-into-libc attacks. But the threat is more
general. Return-oriented programming is readily
exploitable on multiple architectures and systems. It
also bypasses an entire category of security
measures---those that seek to prevent malicious
computation by preventing the execution of malicious
code. To demonstrate the wide applicability of
return-oriented programming, we construct a
Turing-complete set of building blocks called gadgets
using the standard C libraries of two very different
architectures: Linux/x86 and Solaris/SPARC. To
demonstrate the power of return-oriented programming,
we present a high-level, general-purpose language for
describing return-oriented exploits and a compiler that
translates it to gadgets.",
acknowledgement = ack-nhfb,
articleno = "2",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bhargavan:2012:VCI,
author = "Karthikeyan Bhargavan and C{\'e}dric Fournet and
Ricardo Corin and Eugen Zalinescu",
title = "Verified Cryptographic Implementations for {TLS}",
journal = j-TISSEC,
volume = "15",
number = "1",
pages = "3:1--3:??",
month = mar,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2133375.2133378",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Mar 24 09:45:43 MDT 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We narrow the gap between concrete implementations of
cryptographic protocols and their verified models. We
develop and verify a small functional implementation of
the Transport Layer Security protocol (TLS 1.0). We
make use of the same executable code for
interoperability testing against mainstream
implementations for automated symbolic cryptographic
verification and automated computational cryptographic
verification. We rely on a combination of recent tools
and also develop a new tool for extracting
computational models from executable code. We obtain
strong security guarantees for TLS as used in typical
deployments.",
acknowledgement = ack-nhfb,
articleno = "3",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Camenisch:2012:EAA,
author = "Jan Camenisch and Thomas Gro{\ss}",
title = "Efficient Attributes for Anonymous Credentials",
journal = j-TISSEC,
volume = "15",
number = "1",
pages = "4:1--4:??",
month = mar,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2133375.2133379",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Mar 24 09:45:43 MDT 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We extend the Camenisch-Lysyanskaya anonymous
credential system such that selective disclosure of
attributes becomes highly efficient. The resulting
system significantly improves upon existing approaches,
which suffer from a linear number of modular
exponentiations in the total number of attributes. This
limitation makes them unfit for many practical
applications, such as electronic identity cards. Our
novel approach can incorporate a large number of binary
and finite-set attributes without significant
performance impact. It compresses all such attributes
into a single attribute base and, thus, boosts the
efficiency of all proofs of possession. The core idea
is to encode discrete binary and finite-set values as
prime numbers. We then use the divisibility property
for efficient proofs of their presence or absence. In
addition, we contribute efficient methods for
conjunctions and disjunctions. The system builds on the
strong RSA assumption. We demonstrate the aptness of
our method in realistic application scenarios, notably
electronic identity cards, and show its advantages for
small devices, such as smartcards and cell phones.",
acknowledgement = ack-nhfb,
articleno = "4",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Mittal:2012:ILS,
author = "Prateek Mittal and Nikita Borisov",
title = "Information Leaks in Structured Peer-to-Peer Anonymous
Communication Systems",
journal = j-TISSEC,
volume = "15",
number = "1",
pages = "5:1--5:??",
month = mar,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2133375.2133380",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat Mar 24 09:45:43 MDT 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We analyze information leaks in the lookup mechanisms
of structured peer-to-peer (P2P) anonymous
communication systems and how these leaks can be used
to compromise anonymity. We show that the techniques
used to combat active attacks on the lookup mechanism
dramatically increase information leaks and the
efficacy of passive attacks, resulting in a tradeoff
between robustness to active and passive attacks. We
study this tradeoff in two P2P anonymous systems: Salsa
and AP3. In both cases, we find that, by combining both
passive and active attacks, anonymity can be
compromised much more effectively than previously
thought, rendering these systems insecure for most
proposed uses. Our results hold even if security
parameters are changed or other improvements to the
systems are considered. Our study, therefore, shows the
importance of considering these attacks in P2P
anonymous communication.",
acknowledgement = ack-nhfb,
articleno = "5",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Gilad:2012:LDA,
author = "Yossi Gilad and Amir Herzberg",
title = "{LOT}: a Defense Against {IP} Spoofing and Flooding
Attacks",
journal = j-TISSEC,
volume = "15",
number = "2",
pages = "6:1--6:??",
month = jul,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2240276.2240277",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 31 17:02:31 MDT 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We present LOT, a lightweight plug and play secure
tunneling protocol deployed at network gateways. Two
communicating gateways, A and B, running LOT would
automatically detect each other and establish an
efficient tunnel, securing communication between them.
LOT tunnels allow A to discard spoofed packets that
specify source addresses in B's network and vice versa.
This helps to mitigate many attacks, including DNS
poisoning, network scans, and most notably
(Distributed) Denial of Service (DoS). LOT tunnels
provide several additional defenses against DoS
attacks. Specifically, since packets received from
LOT-protected networks cannot be spoofed, LOT gateways
implement quotas, identifying and blocking packet
floods from specific networks. Furthermore, a receiving
LOT gateway (e.g., B) can send the quota assigned to
each tunnel to the peer gateway (A), which can then
enforce near-source quotas, reducing waste and
congestion by filtering excessive traffic before it
leaves the source network. Similarly, LOT tunnels
facilitate near-source filtering, where the sending
gateway discards packets based on filtering rules
defined by the destination gateway. LOT gateways also
implement an intergateway congestion detection
mechanism, allowing sending gateways to detect when
their packets get dropped before reaching the
destination gateway and to perform appropriate
near-source filtering to block the congesting traffic;
this helps against DoS attacks on the backbone
connecting the two gateways. LOT is practical: it is
easy to manage (plug and play, requires no coordination
between gateways), deployed incrementally at edge
gateways (not at hosts and core routers), and has
negligible overhead in terms of bandwidth and
processing, as we validate experimentally. LOT storage
requirements are also modest.",
acknowledgement = ack-nhfb,
articleno = "6",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Danev:2012:TPI,
author = "Boris Danev and Srdjan Capkun and Ramya Jayaram Masti
and Thomas S. Benjamin",
title = "Towards Practical Identification of {HF RFID}
Devices",
journal = j-TISSEC,
volume = "15",
number = "2",
pages = "7:1--7:??",
month = jul,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2240276.2240278",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 31 17:02:31 MDT 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The deployment of RFID poses a number of security and
privacy threats such as cloning, unauthorized tracking,
etc. Although the literature contains many
investigations of these issues on the logical level,
few works have explored the security implications of
the physical communication layer. Recently, related
studies have shown the feasibility of identifying
RFID-enabled devices based on physical-layer
fingerprints. In this work, we leverage on these
findings and demonstrate that physical-layer
identification of HF RFID devices is also practical,
that is, can achieve high accuracy and stability. We
propose an improved hardware setup and enhanced
techniques for fingerprint extraction and matching. Our
new system enables device identification with an Equal
Error Rate as low as 0.005 (0.5\%) on a set 50 HF RFID
smart cards of the same manufacturer and type. We
further investigate the fingerprint stability over an
extended period of time and across different
acquisition setups. In the latter case, we propose a
solution based on channel equalization that preserves
the fingerprint quality across setups. Our results
strengthen the practical use of physical-layer
identification of RFID devices in product and document
anti-counterfeiting solutions.",
acknowledgement = ack-nhfb,
articleno = "7",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Abadi:2012:PLR,
author = "Mart{\'\i}n Abadi and Gordon D. Plotkin",
title = "On Protection by Layout Randomization",
journal = j-TISSEC,
volume = "15",
number = "2",
pages = "8:1--8:??",
month = jul,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2240276.2240279",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 31 17:02:31 MDT 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Layout randomization is a powerful, popular technique
for software protection. We present it and study it in
programming-language terms. More specifically, we
consider layout randomization as part of an
implementation for a high-level programming language;
the implementation translates this language to a
lower-level language in which memory addresses are
numbers. We analyze this implementation, by relating
low-level attacks against the implementation to
contexts in the high-level programming language, and by
establishing full abstraction results.",
acknowledgement = ack-nhfb,
articleno = "8",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Yavuz:2012:BFB,
author = "Attila A. Yavuz and Peng Ning and Michael K. Reiter",
title = "{BAF} and {FI-BAF}: Efficient and Publicly Verifiable
Cryptographic Schemes for Secure Logging in
Resource-Constrained Systems",
journal = j-TISSEC,
volume = "15",
number = "2",
pages = "9:1--9:??",
month = jul,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2240276.2240280",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 31 17:02:31 MDT 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Audit logs are an integral part of modern computer
systems due to their forensic value. Protecting audit
logs on a physically unprotected machine in hostile
environments is a challenging task, especially in the
presence of active adversaries. It is critical for such
a system to have forward security and append-only
properties such that when an adversary compromises a
logging machine, she cannot forge or selectively delete
the log entries accumulated before the compromise.
Existing public-key-based secure logging schemes are
computationally costly. Existing symmetric secure
logging schemes are not publicly verifiable and open to
certain attacks. In this article, we develop a new
forward-secure and aggregate signature scheme called
Blind-Aggregate-Forward (BAF), which is suitable for
secure logging in resource-constrained systems. BAF is
the only cryptographic secure logging scheme that can
produce publicly verifiable, forward-secure and
aggregate signatures with low computation,
key/signature storage, and signature communication
overheads for the loggers, without requiring any online
trusted third party support. A simple variant of BAF
also allows a fine-grained verification of log entries
without compromising the security or computational
efficiency of BAF. We prove that our schemes are secure
in Random Oracle Model (ROM). We also show that they
are significantly more efficient than all the previous
publicly verifiable cryptographic secure logging
schemes.",
acknowledgement = ack-nhfb,
articleno = "9",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Khoury:2012:CEN,
author = "Rapha{\"e}l Khoury and Nadia Tawbi",
title = "Corrective Enforcement: a New Paradigm of Security
Policy Enforcement by Monitors",
journal = j-TISSEC,
volume = "15",
number = "2",
pages = "10:1--10:??",
month = jul,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2240276.2240281",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Tue Jul 31 17:02:31 MDT 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Runtime monitoring is an increasingly popular method
to ensure the safe execution of untrusted codes.
Monitors observe and transform the execution of these
codes, responding when needed to correct or prevent a
violation of a user-defined security policy. Prior
research has shown that the set of properties monitors
can enforce correlates with the latitude they are given
to transform and alter the target execution. But for
enforcement to be meaningful this capacity must be
constrained, otherwise the monitor can enforce any
property, but not necessarily in a manner that is
useful or desirable. However, such constraints have not
been significantly addressed in prior work. In this
article, we develop a new paradigm of security policy
enforcement in which the behavior of the enforcement
mechanism is restricted to ensure that valid aspects
present in the execution are preserved notwithstanding
any transformation it may perform. These restrictions
capture the desired behavior of valid executions of the
program, and are stated by way of a preorder over
sequences. The resulting model is closer than previous
ones to what would be expected of a real-life monitor,
from which we demand a minimal footprint on both valid
and invalid executions. We illustrate this framework
with examples of real-life security properties. Since
several different enforcement alternatives of the same
property are made possible by the flexibility of this
type of enforcement, our study also provides metrics
that allow the user to compare monitors objectively and
choose the best enforcement paradigm for a given
situation.",
acknowledgement = ack-nhfb,
articleno = "10",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Danner:2012:EDD,
author = "Norman Danner and Sam Defabbia-Kane and Danny Krizanc
and Marc Liberatore",
title = "Effectiveness and detection of denial-of-service
attacks in {Tor}",
journal = j-TISSEC,
volume = "15",
number = "3",
pages = "11:1--11:??",
month = nov,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2382448.2382449",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Nov 28 17:25:14 MST 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Tor is one of the more popular systems for anonymizing
near-real-time communications on the Internet. Borisov
et al. [2007] proposed a denial-of-service-based attack
on Tor (and related systems) that significantly
increases the probability of compromising the anonymity
provided. In this article, we analyze the effectiveness
of the attack using both an analytic model and
simulation. We also describe two algorithms for
detecting such attacks, one deterministic and proved
correct, the other probabilistic and verified in
simulation.",
acknowledgement = ack-nhfb,
articleno = "11",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Brennan:2012:ASC,
author = "Michael Brennan and Sadia Afroz and Rachel
Greenstadt",
title = "Adversarial stylometry: Circumventing authorship
recognition to preserve privacy and anonymity",
journal = j-TISSEC,
volume = "15",
number = "3",
pages = "12:1--12:??",
month = nov,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2382448.2382450",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Nov 28 17:25:14 MST 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The use of stylometry, authorship recognition through
purely linguistic means, has contributed to literary,
historical, and criminal investigation breakthroughs.
Existing stylometry research assumes that authors have
not attempted to disguise their linguistic writing
style. We challenge this basic assumption of existing
stylometry methodologies and present a new area of
research: adversarial stylometry. Adversaries have a
devastating effect on the robustness of existing
classification methods. Our work presents a framework
for creating adversarial passages including
obfuscation, where a subject attempts to hide her
identity, and imitation, where a subject attempts to
frame another subject by imitating his writing style,
and translation where original passages are obfuscated
with machine translation services. This research
demonstrates that manual circumvention methods work
very well while automated translation methods are not
effective. The obfuscation method reduces the
techniques' effectiveness to the level of random
guessing and the imitation attempts succeed up to 67\%
of the time depending on the stylometry technique used.
These results are more significant given the fact that
experimental subjects were unfamiliar with stylometry,
were not professional writers, and spent little time on
the attacks. This article also contributes to the field
by using human subjects to empirically validate the
claim of high accuracy for four current techniques
(without adversaries). We have also compiled and
released two corpora of adversarial stylometry texts to
promote research in this field with a total of 57
unique authors. We argue that this field is important
to a multidisciplinary approach to privacy, security,
and anonymity.",
acknowledgement = ack-nhfb,
articleno = "12",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Basin:2012:DEA,
author = "David Basin and Samuel J. Burri and G{\"u}nter
Karjoth",
title = "Dynamic enforcement of abstract separation of duty
constraints",
journal = j-TISSEC,
volume = "15",
number = "3",
pages = "13:1--13:??",
month = nov,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2382448.2382451",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Nov 28 17:25:14 MST 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Separation of Duties (SoD) aims at preventing fraud
and errors by distributing tasks and associated
authorizations among multiple users. Li and Wang [2008]
proposed an algebra (SoDA) for specifying SoD
requirements, which is both expressive in the
requirements it formalizes and abstract in that it is
not bound to a workflow model. In this article, we
bridge the gap between the specification of SoD
constraints modeled in SoDA and their enforcement in a
dynamic, service-oriented enterprise environment. We
proceed by generalizing SoDA's semantics to traces,
modeling workflow executions that satisfy the
respective SoDA terms. We then refine the set of traces
induced by a SoDA term to also account for a workflow's
control-flow and role-based authorizations. Our
formalization, which is based on the process algebra
CSP, supports the enforcement of SoD on general
workflows and handles changing role assignments during
workflow execution, addressing a well-known source of
fraud. The resulting CSP model serves as blueprint for
a distributed and loosely coupled architecture where
SoD enforcement is provisioned as a service. This
concept, which we call SoD as a Service, facilitates a
separation of concerns between business experts and
security professionals. As a result, integration and
configuration efforts are minimized and enterprises can
quickly adapt to organizational, regulatory, and
technological changes. We describe an implementation of
SoD as a Service, which combines commercial components
such as a workflow engine with newly developed
components such as an SoD enforcement monitor. To
evaluate our design decisions and to demonstrate the
feasibility of our approach, we present a case study of
a drug dispensation workflow deployed in a hospital.",
acknowledgement = ack-nhfb,
articleno = "13",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Feigenbaum:2012:PAO,
author = "Joan Feigenbaum and Aaron Johnson and Paul Syverson",
title = "Probabilistic analysis of onion routing in a black-box
model",
journal = j-TISSEC,
volume = "15",
number = "3",
pages = "14:1--14:??",
month = nov,
year = "2012",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2382448.2382452",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Nov 28 17:25:14 MST 2012",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We perform a probabilistic analysis of onion routing.
The analysis is presented in a black-box model of
anonymous communication in the Universally Composable
(UC) framework that abstracts the essential properties
of onion routing in the presence of an active adversary
who controls a portion of the network and knows all a
priori distributions on user choices of destination.
Our results quantify how much the adversary can gain in
identifying users by exploiting knowledge of their
probabilistic behavior. In particular, we show that, in
the limit as the network gets large, a user u's
anonymity is worst either when the other users always
choose the destination u is least likely to visit or
when the other users always choose the destination u
chooses. This worst-case anonymity with an adversary
that controls a fraction b of the routers is shown to
be comparable to the best-case anonymity against an
adversary that controls a fraction $\sqrt b$.",
acknowledgement = ack-nhfb,
articleno = "14",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Frank:2013:RMP,
author = "Mario Frank and Joachim M. Buhman and David Basin",
title = "Role Mining with Probabilistic Models",
journal = j-TISSEC,
volume = "15",
number = "4",
pages = "15:1--15:??",
month = apr,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2445566.2445567",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Apr 4 18:18:20 MDT 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Role mining tackles the problem of finding a
role-based access control (RBAC) configuration, given
an access-control matrix assigning users to access
permissions as input. Most role-mining approaches work
by constructing a large set of candidate roles and use
a greedy selection strategy to iteratively pick a small
subset such that the differences between the resulting
RBAC configuration and the access control matrix are
minimized. In this article, we advocate an alternative
approach that recasts role mining as an inference
problem rather than a lossy compression problem.
Instead of using combinatorial algorithms to minimize
the number of roles needed to represent the
access-control matrix, we derive probabilistic models
to learn the RBAC configuration that most likely
underlies the given matrix. Our models are generative
in that they reflect the way that permissions are
assigned to users in a given RBAC configuration. We
additionally model how user-permission assignments that
conflict with an RBAC configuration emerge and we
investigate the influence of constraints on role
hierarchies and on the number of assignments. In
experiments with access-control matrices from
real-world enterprises, we compare our proposed models
with other role-mining methods. Our results show that
our probabilistic models infer roles that generalize
well to new system users for a wide variety of data,
while other models' generalization abilities depend on
the dataset given.",
acknowledgement = ack-nhfb,
articleno = "15",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Gilad:2013:FCV,
author = "Yossi Gilad and Amir Herzberg",
title = "Fragmentation Considered Vulnerable",
journal = j-TISSEC,
volume = "15",
number = "4",
pages = "16:1--16:??",
month = apr,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2445566.2445568",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Apr 4 18:18:20 MDT 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We show that fragmented IPv4 and IPv6 traffic is
vulnerable to effective interception and
denial-of-service (DoS) attacks by an off-path
attacker. Specifically, we demonstrate a weak attacker
intercepting more than 80\% of the data between peers
and causing over 94\% loss rate. We show that our
attacks are practical through experimental validation
on popular industrial and open-source products, with
realistic network setups that involve NAT or tunneling
and include concurrent legitimate traffic as well as
packet losses. The interception attack requires a
zombie agent behind the same NAT or tunnel-gateway as
the victim destination; the DoS attack only requires a
puppet agent, that is, a sandboxed applet or script
running in web-browser context. The complexity of our
attacks depends on the predictability of the IP
Identification (ID) field which is typically
implemented as one or multiple counters, as allowed and
recommended by the IP specifications. The attacks are
much simpler and more efficient for implementations,
such as Windows, which use one ID counter for all
destinations. Therefore, much of our focus is on
presenting effective attacks for implementations, such
as Linux, which use per-destination ID counters. We
present practical defenses for the attacks presented in
this article, the defenses can be deployed on network
firewalls without changes to hosts or operating system
kernel.",
acknowledgement = ack-nhfb,
articleno = "16",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ali:2013:AAD,
author = "Muhammad Qasim Ali and Ehab Al-Shaer and Hassan Khan
and Syed Ali Khayam",
title = "Automated Anomaly Detector Adaptation using Adaptive
Threshold Tuning",
journal = j-TISSEC,
volume = "15",
number = "4",
pages = "17:1--17:??",
month = apr,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2445566.2445569",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Apr 4 18:18:20 MDT 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Real-time network- and host-based Anomaly Detection
Systems (ADSs) transform a continuous stream of input
data into meaningful and quantifiable anomaly scores.
These scores are subsequently compared to a fixed
detection threshold and classified as either benign or
malicious. We argue that a real-time ADS' input changes
considerably over time and a fixed threshold value
cannot guarantee good anomaly detection accuracy for
such a time-varying input. In this article, we propose
a simple and generic technique to adaptively tune the
detection threshold of any ADS that works on threshold
method. To this end, we first perform statistical and
information-theoretic analysis of network- and
host-based ADSs' anomaly scores to reveal a consistent
time correlation structure during benign activity
periods. We model the observed correlation structure
using Markov chains, which are in turn used in a
stochastic target tracking framework to adapt an ADS'
detection threshold in accordance with real-time
measurements. We also use statistical techniques to
make the proposed algorithm resilient to sporadic
changes and evasion attacks. In order to evaluate the
proposed approach, we incorporate the proposed adaptive
thresholding module into multiple ADSs and evaluate
those ADSs over comprehensive and independently
collected network and host attack datasets. We show
that, while reducing the need of human threshold
configuration, the proposed technique provides
considerable and consistent accuracy improvements for
all evaluated ADSs.",
acknowledgement = ack-nhfb,
articleno = "17",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Jayaraman:2013:MAR,
author = "Karthick Jayaraman and Mahesh Tripunitara and Vijay
Ganesh and Martin Rinard and Steve Chapin",
title = "{Mohawk}: Abstraction-Refinement and Bound-Estimation
for Verifying Access Control Policies",
journal = j-TISSEC,
volume = "15",
number = "4",
pages = "18:1--18:??",
month = apr,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2445566.2445570",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Thu Apr 4 18:18:20 MDT 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Verifying that access-control systems maintain desired
security properties is recognized as an important
problem in security. Enterprise access-control systems
have grown to protect tens of thousands of resources,
and there is a need for verification to scale
commensurately. We present techniques for
abstraction-refinement and bound-estimation for bounded
model checkers to automatically find errors in
Administrative Role-Based Access Control (ARBAC)
security policies. ARBAC is the first and most
comprehensive administrative scheme for Role-Based
Access Control (RBAC) systems. In the
abstraction-refinement portion of our approach, we
identify and discard roles that are unlikely to be
relevant to the verification question (the abstraction
step). We then restore such abstracted roles
incrementally (the refinement steps). In the
bound-estimation portion of our approach, we lower the
estimate of the diameter of the reachability graph from
the worst-case by recognizing relationships between
roles and state-change rules. Our techniques complement
one another, and are used with conventional bounded
model checking. Our approach is sound and complete: an
error is found if and only if it exists. We have
implemented our technique in an access-control policy
analysis tool called Mohawk. We show empirically that
Mohawk scales well to realistic policies, and provide a
comparison with prior tools.",
acknowledgement = ack-nhfb,
articleno = "18",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Philippaerts:2013:CMC,
author = "Pieter Philippaerts and Yves Younan and Stijn Muylle
and Frank Piessens and Sven Lachmund and Thomas
Walter",
title = "{CPM}: Masking Code Pointers to Prevent Code Injection
Attacks",
journal = j-TISSEC,
volume = "16",
number = "1",
pages = "1:1--1:??",
month = jun,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2487222.2487223",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Jun 14 19:25:26 MDT 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Code Pointer Masking (CPM) is a novel countermeasure
against code injection attacks on native code. By
enforcing the correct semantics of code pointers, CPM
thwarts attacks that modify code pointers to divert the
application's control flow. It does not rely on secret
values such as stack canaries and protects against
attacks that are not addressed by state-of-the-art
countermeasures of similar performance. This article
reports on two prototype implementations on very
distinct processor architectures, showing that the idea
behind CPM is portable. The evaluation also shows that
the overhead of using our countermeasure is very small
and the security benefits are substantial.",
acknowledgement = ack-nhfb,
articleno = "1",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Cobb:2013:LMS,
author = "William E. Cobb and Rusty O. Baldwin and Eric D.
Laspe",
title = "Leakage Mapping: a Systematic Methodology for
Assessing the Side-Channel Information Leakage of
Cryptographic Implementations",
journal = j-TISSEC,
volume = "16",
number = "1",
pages = "2:1--2:??",
month = jun,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2487222.2487224",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Jun 14 19:25:26 MDT 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We propose a generalized framework to evaluate the
side-channel information leakage of symmetric block
ciphers. The leakage mapping methodology enables the
systematic and efficient identification and mitigation
of problematic information leakages by exhaustively
considering relevant leakage models. The evaluation
procedure bounds the anticipated resistance of an
implementation to the general class of univariate
differential side-channel analysis techniques. Typical
applications are demonstrated using the well-known
Hamming weight and Hamming distance leakage models,
with recommendations for the incorporation of more
accurate models. The evaluation results are empirically
validated against correlation-based differential
side-channel analysis attacks on two typical
unprotected implementations of the Advanced Encryption
Standard.",
acknowledgement = ack-nhfb,
articleno = "2",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Basin:2013:ESP,
author = "David Basin and Vincent Jug{\'e} and Felix Klaedtke
and Eugen Zalinescu",
title = "Enforceable Security Policies Revisited",
journal = j-TISSEC,
volume = "16",
number = "1",
pages = "3:1--3:??",
month = jun,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2487222.2487225",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Jun 14 19:25:26 MDT 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We revisit Schneider's work on policy enforcement by
execution monitoring. We overcome limitations of
Schneider's setting by distinguishing between system
actions that are controllable by an enforcement
mechanism and those actions that are only observable,
that is, the enforcement mechanism sees them but cannot
prevent their execution. For this refined setting, we
give necessary and sufficient conditions on when a
security policy is enforceable. To state these
conditions, we generalize the standard notion of safety
properties. Our classification of system actions also
allows one, for example, to reason about the
enforceability of policies that involve timing
constraints. Furthermore, for different specification
languages, we investigate the decision problem of
whether a given policy is enforceable. We provide
complexity results and show how to synthesize an
enforcement mechanism from an enforceable policy.",
acknowledgement = ack-nhfb,
articleno = "3",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Crampton:2013:PCK,
author = "Jason Crampton and Gregory Gutin and Anders Yeo",
title = "On the Parameterized Complexity and Kernelization of
the Workflow Satisfiability Problem",
journal = j-TISSEC,
volume = "16",
number = "1",
pages = "4:1--4:??",
month = jun,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2487222.2487226",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Jun 14 19:25:26 MDT 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "A workflow specification defines a set of steps and
the order in which these steps must be executed.
Security requirements may impose constraints on which
groups of users are permitted to perform subsets of
these steps. A workflow specification is said to be
satisfiable if there exists an assignment of users to
workflow steps that satisfies all the constraints. An
algorithm for determining whether such an assignment
exists is important, both as a static analysis tool for
workflow specifications and for the construction of
runtime reference monitors for workflow management
systems. Finding such an assignment is a hard problem
in general, but work by Wang and Li [2010] using the
theory of parameterized complexity suggests that
efficient algorithms exist under reasonable assumptions
about workflow specifications. In this article, we
improve the complexity bounds for the workflow
satisfiability problem. We also generalize and extend
the types of constraints that may be defined in a
workflow specification and prove that the
satisfiability problem remains fixed-parameter
tractable for such constraints. Finally, we consider
preprocessing for the problem and prove that in an
important special case, in polynomial time, we can
reduce the given input into an equivalent one where the
number of users is at most the number of steps. We also
show that no such reduction exists for two natural
extensions of this case, which bounds the number of
users by a polynomial in the number of steps, provided
a widely accepted complexity-theoretical assumption
holds.",
acknowledgement = ack-nhfb,
articleno = "4",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Leonard:2013:MAP,
author = "Thomas Leonard and Martin Hall-May and Mike Surridge",
title = "Modelling Access Propagation in Dynamic Systems",
journal = j-TISSEC,
volume = "16",
number = "2",
pages = "5:1--5:??",
month = sep,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2516951.2516952",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Sep 23 17:04:07 MDT 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Access control is a critical feature of many systems,
including networks of services, processes within a
computer, and objects within a running process. The
security consequences of a particular architecture or
access control policy are often difficult to determine,
especially where some components are not under our
control, where components are created dynamically, or
where access policies are updated dynamically. The
SERSCIS Access Modeller (SAM) takes a model of a system
and explores how access can propagate through it. It
can both prove defined safety properties and discover
unwanted properties. By defining expected behaviours,
recording the results as a baseline, and then
introducing untrusted actors, SAM can discover a wide
variety of design flaws. SAM is designed to handle
dynamic systems (i.e., at runtime, new objects are
created and access policies modified) and systems where
some objects are not trusted. It extends previous
approaches such as Scollar and Authodox to provide a
programmer-friendly syntax for specifying behaviour,
and allows modelling of services with mutually
suspicious clients. Taking the Confused Deputy example
from Authodox we show that SAM detects the attack
automatically; using a web-based backup service, we
show how to model RBAC systems, detecting a missing
validation check; and using a proxy certificate system,
we show how to extend it to model new access
mechanisms. On discovering that a library fails to
follow an RFC precisely, we re-evaluate our existing
models under the new assumption and discover that the
proxy certificate design is not safe with this
library.",
acknowledgement = ack-nhfb,
articleno = "5",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Cheng:2013:DVB,
author = "Yueqiang Cheng and Xuhua Ding and Robert H. Deng",
title = "{DriverGuard}: Virtualization-Based Fine-Grained
Protection on {I/O} Flows",
journal = j-TISSEC,
volume = "16",
number = "2",
pages = "6:1--6:??",
month = sep,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2505123",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Sep 23 17:04:07 MDT 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib;
http://www.math.utah.edu/pub/tex/bib/virtual-machines.bib",
abstract = "Most commodity peripheral devices and their drivers
are geared to achieve high performance with security
functions being opted out. The absence of strong
security measures invites attacks on the I/O data and
consequently posts threats to those services feeding on
them, such as fingerprint-based biometric
authentication. In this article, we present a generic
solution called DriverGuard, which dynamically protects
the secrecy of I/O flows such that the I/O data are not
exposed to the malicious kernel. Our design leverages a
composite of cryptographic and virtualization
techniques to achieve fine-grained protection without
using any extra devices and modifications on user
applications. We implement the DriverGuard prototype on
Xen by adding around 1.7K SLOC. DriverGuard is
lightweight as it only needs to protect around 2\% of
the driver code's execution. We measure the performance
and evaluate the security of DriverGuard with three
input devices (keyboard, fingerprint reader and camera)
and three output devices (printer, graphic card, and
sound card). The experiment results show that
DriverGuard induces negligible overhead to the
applications.",
acknowledgement = ack-nhfb,
articleno = "6",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Fu:2013:BSG,
author = "Yangchun Fu and Zhiqiang Lin",
title = "Bridging the Semantic Gap in Virtual Machine
Introspection via Online Kernel Data Redirection",
journal = j-TISSEC,
volume = "16",
number = "2",
pages = "7:1--7:??",
month = sep,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2505124",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Sep 23 17:04:07 MDT 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib;
http://www.math.utah.edu/pub/tex/bib/virtual-machines.bib",
abstract = "It is generally believed to be a tedious,
time-consuming, and error-prone process to develop a
virtual machine introspection (VMI) tool because of the
semantic gap. Recent advance shows that the
semantic-gap can be largely narrowed by reusing the
executed code from a trusted OS kernel. However, the
limitation for such an approach is that it only reuses
the exercised code through a training process, which
suffers the code coverage issues. Thus, in this
article, we present Vmst, a new technique that can
seamlessly bridge the semantic gap and automatically
generate the VMI tools. The key idea is that, through
system wide instruction monitoring, Vmst automatically
identifies the introspection related data from a
secure-VM and online redirects these data accesses to
the kernel memory of a product-VM, without any
training. Vmst offers a number of new features and
capabilities. Particularly, it enables an in-VM
inspection program (e.g., ps) to automatically become
an out-of-VM introspection program. We have tested Vmst
with over 25 commonly used utilities on top of a number
of different OS kernels including Linux and Microsoft
Windows. The experimental results show that our
technique is general (largely OS-independent), and it
introduces 9.3X overhead for Linux utilities and 19.6X
overhead for Windows utilities on average for the
introspected program compared to the native in-VM
execution without data redirection.",
acknowledgement = ack-nhfb,
articleno = "7",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Serwadda:2013:ELK,
author = "Abdul Serwadda and Vir V. Phoha",
title = "Examining a Large Keystroke Biometrics Dataset for
Statistical-Attack Openings",
journal = j-TISSEC,
volume = "16",
number = "2",
pages = "8:1--8:??",
month = sep,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2516960",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Sep 23 17:04:07 MDT 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Research on keystroke-based authentication has
traditionally assumed human impostors who generate
forgeries by physically typing on the keyboard. With
bots now well understood to have the capacity to
originate precisely timed keystroke sequences, this
model of attack is likely to underestimate the threat
facing a keystroke-based system in practice. In this
work, we investigate how a keystroke-based
authentication system would perform if it were
subjected to synthetic attacks designed to mimic the
typical user. To implement the attacks, we perform a
rigorous statistical analysis on keystroke biometrics
data collected over a 2-year period from more than 3000
users, and then use the observed statistical traits to
design and launch algorithmic attacks against three
state-of-the-art password-based keystroke verification
systems. Relative to the zero-effort attacks typically
used to test the performance of keystroke biometric
systems, we show that our algorithmic attack increases
the mean Equal Error Rates (EERs) of three high
performance keystroke verifiers by between 28.6\% and
84.4\%. We also find that the impact of the attack is
more pronounced when the keystroke profiles subjected
to the attack are based on shorter strings, and that
some users see considerably greater performance
degradation under the attack than others. This article
calls for a shift from the traditional zero-effort
approach of testing the performance of password-based
keystroke verifiers, to a more rigorous algorithmic
approach that captures the threat posed by today's
bots.",
acknowledgement = ack-nhfb,
articleno = "8",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Sun:2013:BJW,
author = "Mengtao Sun and Gang Tan and Joseph Siefers and Bin
Zeng and Greg Morrisett",
title = "Bringing {Java}'s wild native world under control",
journal = j-TISSEC,
volume = "16",
number = "3",
pages = "9:1--9:??",
month = nov,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2535505",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 9 11:22:22 MST 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/java2010.bib;
http://www.math.utah.edu/pub/tex/bib/tissec.bib;
http://www.math.utah.edu/pub/tex/bib/virtual-machines.bib",
abstract = "For performance and for incorporating legacy
libraries, many Java applications contain native-code
components written in unsafe languages such as C and
C++. Native-code components interoperate with Java
components through the Java Native Interface (JNI). As
native code is not regulated by Java's security model,
it poses serious security threats to the managed Java
world. We introduce a security framework that extends
Java's security model and brings native code under
control. Leveraging software-based fault isolation, the
framework puts native code in a separate sandbox and
allows the interaction between the native world and the
Java world only through a carefully designed pathway.
Two different implementations were built. In one
implementation, the security framework is integrated
into a Java Virtual Machine (JVM). In the second
implementation, the framework is built outside of the
JVM and takes advantage of JVM-independent interfaces.
The second implementation provides JVM portability, at
the expense of some performance degradation. Evaluation
of our framework demonstrates that it incurs modest
runtime overhead while significantly enhancing the
security of Java applications.",
acknowledgement = ack-nhfb,
articleno = "9",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Driessen:2013:ESA,
author = "Benedikt Driessen and Ralf Hund and Carsten Willems
and Christof Paar and Thorsten Holz",
title = "An experimental security analysis of two satphone
standards",
journal = j-TISSEC,
volume = "16",
number = "3",
pages = "10:1--10:??",
month = nov,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2535522",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 9 11:22:22 MST 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "General-purpose communication systems such as GSM and
UMTS have been in the focus of security researchers for
over a decade now. Recently also technologies that are
only used under more specific circumstances have come
into the spotlight of academic research and the hacker
scene alike. A striking example of this is recent work
[Driessen et al. 2012] that analyzed the security of
the over-the-air encryption in the two existing ETSI
satphone standards GMR-1 and GMR-2. The firmware of
handheld devices was reverse-engineered and the
previously unknown stream ciphers A5-GMR-1 and A5-GMR-2
were recovered. In a second step, both ciphers were
cryptanalized, resulting in a ciphertext-only attack on
A5-GMR-1 and a known-plaintext attack on A5-GMR-2. In
this work, we extend the aforementioned results in the
following ways: First, we improve the proposed attack
on A5-GMR-1 and reduce its average-case complexity from
$2^{32}$ to $2^{21}$ steps. Second, we implement a
practical attack to successfully record communications
in the Thuraya network and show that it can be done
with moderate effort for approximately \$5,000. We
describe the implementation of our modified attack and
the crucial aspects to make it practical. Using our
eavesdropping setup, we recorded 30 seconds of our own
satellite-to-satphone communication and show that we
are able to recover Thuraya session keys in half an
hour (on average). We supplement these results with
experiments designed to highlight the feasibility of
also eavesdropping on the satphone's emanations. The
purpose of this article is threefold: Develop and
demonstrate more practical attacks on A5-GMR-1,
summarize current research results in the field of
GMR-1 and GMR-2 security, and shed light on the amount
of work and expertise it takes from setting out to
analyze a complex system to actually break it in the
real world.",
acknowledgement = ack-nhfb,
articleno = "10",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Blanton:2013:SVO,
author = "Marina Blanton and Yihua Zhang and Keith B. Frikken",
title = "Secure and verifiable outsourcing of large-scale
biometric computations",
journal = j-TISSEC,
volume = "16",
number = "3",
pages = "11:1--11:??",
month = nov,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2535523",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 9 11:22:22 MST 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Cloud computing services are becoming more prevalent
and readily available today, bringing to us economies
of scale and making large-scale computation feasible.
Security and privacy considerations, however, stand in
the way of fully utilizing the benefits of such
services and architectures. In this work we address the
problem of secure outsourcing of large-scale biometric
experiments to a cloud or grid in a way that the client
can verify that with very high probability the task was
computed correctly. We conduct thorough theoretical
analysis of the proposed techniques and provide
implementation results that indicate that our solution
imposes modest overhead.",
acknowledgement = ack-nhfb,
articleno = "11",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Williams:2013:APC,
author = "Peter Williams and Radu Sion",
title = "Access privacy and correctness on untrusted storage",
journal = j-TISSEC,
volume = "16",
number = "3",
pages = "12:1--12:??",
month = nov,
year = "2013",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2535524",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 9 11:22:22 MST 2013",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We introduce a new practical mechanism for remote data
storage with access pattern privacy and correctness. A
storage client can deploy this mechanism to issue
encrypted reads, writes, and inserts to a potentially
curious and malicious storage service provider, without
revealing information or access patterns. The provider
is unable to establish any correlation between
successive accesses, or even to distinguish between a
read and a write. Moreover, the client is provided with
strong correctness assurances for its
operations --- illicit provider behavior does not go
undetected. We describe a practical system that can
execute an unprecedented several queries per second on
terabyte-plus databases while maintaining full
computational privacy and correctness.",
acknowledgement = ack-nhfb,
articleno = "12",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Gilad:2014:PTI,
author = "Yossi Gilad and Amir Herzberg",
title = "Off-Path {TCP} Injection Attacks",
journal = j-TISSEC,
volume = "16",
number = "4",
pages = "13:1--13:??",
month = apr,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2597173",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon May 5 18:00:10 MDT 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We present practical off-path TCP injection attacks
for connections between current, nonbuggy browsers and
Web servers. The attacks allow Web-cache poisoning with
malicious objects such as spoofed Web pages and
scripts; these objects can be cached for a long period
of time, exposing any user of that cache to cross-site
scripting, cross-site request forgery, and phishing
attacks. In contrast to previous TCP injection attacks,
we do not require MitM capabilities or malware running
on the client machine. Instead, our attacks rely on a
weaker assumption, that the user only enters a
malicious Web site, but does not download or install
any application. Our attacks exploit subtle details of
the TCP and HTTP specifications, and features of
legitimate (and very common) browser implementations.
An empirical evaluation of our techniques with current
versions of browsers shows that connections with most
popular Web sites are vulnerable. We conclude this work
with practical client- and server-end defenses against
our attacks.",
acknowledgement = ack-nhfb,
articleno = "13",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Bilge:2014:EPD,
author = "Leyla Bilge and Sevil Sen and Davide Balzarotti and
Engin Kirda and Christopher Kruegel",
title = "{EXPOSURE}: a Passive {DNS} Analysis Service to Detect
and Report Malicious Domains",
journal = j-TISSEC,
volume = "16",
number = "4",
pages = "14:1--14:??",
month = apr,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2584679",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon May 5 18:00:10 MDT 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "A wide range of malicious activities rely on the
domain name service (DNS) to manage their large,
distributed networks of infected machines. As a
consequence, the monitoring and analysis of DNS queries
has recently been proposed as one of the most promising
techniques to detect and blacklist domains involved in
malicious activities (e.g., phishing, spam, botnets
command-and-control, etc.). EXPOSURE is a system we
designed to detect such domains in real time, by
applying 15 unique features grouped in four categories.
We conducted a controlled experiment with a large,
real-world dataset consisting of billions of DNS
requests. The extremely positive results obtained in
the tests convinced us to implement our techniques and
deploy it as a free, online service. In this article,
we present the Exposure system and describe the results
and lessons learned from 17 months of its operation.
Over this amount of time, the service detected over
100K malicious domains. The statistics about the time
of usage, number of queries, and target IP addresses of
each domain are also published on a daily basis on the
service Web page.",
acknowledgement = ack-nhfb,
articleno = "14",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Chen:2014:CDP,
author = "Liqun Chen and Hoon Wei Lim and Guomin Yang",
title = "Cross-Domain Password-Based Authenticated Key Exchange
Revisited",
journal = j-TISSEC,
volume = "16",
number = "4",
pages = "15:1--15:??",
month = apr,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2584681",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon May 5 18:00:10 MDT 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We revisit the problem of secure cross-domain
communication between two users belonging to different
security domains within an open and distributed
environment. Existing approaches presuppose that either
the users are in possession of public key certificates
issued by a trusted certificate authority (CA), or the
associated domain authentication servers share a
long-term secret key. In this article, we propose a
generic framework for designing four-party
password-based authenticated key exchange (4PAKE)
protocols. Our framework takes a different approach
from previous work. The users are not required to have
public key certificates, but they simply reuse their
login passwords, which they share with their respective
domain authentication servers. On the other hand, the
authentication servers, assumed to be part of a
standard PKI, act as ephemeral CAs that certify some
key materials that the users can subsequently use to
exchange and agree on as a session key. Moreover, we
adopt a compositional approach. That is, by treating
any secure two-party password-based key exchange
(2PAKE) protocol and two-party
asymmetric-key/symmetric-key-based key exchange
(2A/SAKE) protocol as black boxes, we combine them to
obtain generic and provably secure 4PAKE protocols.",
acknowledgement = ack-nhfb,
articleno = "15",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Chen:2014:APS,
author = "Teh-Chung Chen and Torin Stepan and Scott Dick and
James Miller",
title = "An Anti-Phishing System Employing Diffused
Information",
journal = j-TISSEC,
volume = "16",
number = "4",
pages = "16:1--16:??",
month = apr,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2584680",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon May 5 18:00:10 MDT 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The phishing scam and its variants are estimated to
cost victims billions of dollars per year. Researchers
have responded with a number of anti-phishing systems,
based either on blacklists or on heuristics. The former
cannot cope with the churn of phishing sites, while the
latter usually employ decision rules that are not
congruent to human perception. We propose a novel
heuristic anti-phishing system that explicitly employs
gestalt and decision theory concepts to model
perceptual similarity. Our system is evaluated on three
corpora contrasting legitimate Web sites with
real-world phishing scams. The proposed system's
performance was equal or superior to current
best-of-breed systems. We further analyze current
anti-phishing warnings from the perspective of warning
theory, and propose a new warning design employing our
Gestalt approach.",
acknowledgement = ack-nhfb,
articleno = "16",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Arkoudas:2014:SAC,
author = "Konstantine Arkoudas and Ritu Chadha and Jason
Chiang",
title = "Sophisticated Access Control via {SMT} and Logical
Frameworks",
journal = j-TISSEC,
volume = "16",
number = "4",
pages = "17:1--17:??",
month = apr,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2595222",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon May 5 18:00:10 MDT 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We introduce a new methodology for formulating,
analyzing, and applying access-control policies.
Policies are expressed as formal theories in the SMT
(satisfiability-modulo-theories) subset of typed
first-order logic, and represented in a programmable
logical framework, with each theory extending a core
ontology of access control. We reduce both request
evaluation and policy analysis to SMT solving, and
provide experimental results demonstrating the
practicality of these reductions. We also introduce a
class of canonical requests and prove that such
requests can be evaluated in linear time. In many
application domains, access requests are either
naturally canonical or can easily be put into canonical
form. The resulting policy framework is more expressive
than XACML and languages in the Datalog family, without
compromising efficiency. Using the computational logic
facilities of the framework, a wide range of
sophisticated policy analyses (including consistency,
coverage, observational equivalence, and change impact)
receive succinct formulations whose correctness can be
straightforwardly verified. The use of SMT solving
allows us to efficiently analyze policies with
complicated numeric (integer and real) constraints, a
weak point of previous policy analysis systems.
Further, by leveraging the programmability of the
underlying logical framework, our system provides
exceptionally flexible ways of resolving conflicts and
composing policies. Specifically, we show that our
system subsumes FIA (Fine-grained Integration Algebra),
an algebra recently developed for the purpose of
integrating complex policies.",
acknowledgement = ack-nhfb,
articleno = "17",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Allodi:2014:CVS,
author = "Luca Allodi and Fabio Massacci",
title = "Comparing Vulnerability Severity and Exploits Using
Case-Control Studies",
journal = j-TISSEC,
volume = "17",
number = "1",
pages = "1:1--1:??",
month = aug,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2630069",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Aug 11 19:17:17 MDT 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "(U.S.) Rule-based policies for mitigating software
risk suggest using the CVSS score to measure the risk
of an individual vulnerability and act accordingly. A
key issue is whether the `danger' score does actually
match the risk of exploitation in the wild, and if and
how such a score could be improved. To address this
question, we propose using a case-control study
methodology similar to the procedure used to link lung
cancer and smoking in the 1950s. A case-control study
allows the researcher to draw conclusions on the
relation between some risk factor (e.g., smoking) and
an effect (e.g., cancer) by looking backward at the
cases (e.g., patients) and comparing them with controls
(e.g., randomly selected patients with similar
characteristics). The methodology allows us to quantify
the risk reduction achievable by acting on the risk
factor. We illustrate the methodology by using publicly
available data on vulnerabilities, exploits, and
exploits in the wild to (1) evaluate the performances
of the current risk factor in the industry, the CVSS
base score; (2) determine whether it can be improved by
considering additional factors such the existence of a
proof-of-concept exploit, or of an exploit in the black
markets. Our analysis reveals that (a) fixing a
vulnerability just because it was assigned a high CVSS
score is equivalent to randomly picking vulnerabilities
to fix; (b) the existence of proof-of-concept exploits
is a significantly better risk factor; (c) fixing in
response to exploit presence in black markets yields
the largest risk reduction.",
acknowledgement = ack-nhfb,
articleno = "1",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Marinovic:2014:RIB,
author = "Srdjan Marinovic and Naranker Dulay and Morris
Sloman",
title = "{Rumpole}: an Introspective Break-Glass Access Control
Language",
journal = j-TISSEC,
volume = "17",
number = "1",
pages = "2:1--2:??",
month = aug,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2629502",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Aug 11 19:17:17 MDT 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Access control policies define what resources can be
accessed by which subjects and under which conditions.
It is, however, often not possible to anticipate all
subjects that should be permitted access and the
conditions under which they should be permitted. For
example, predicting and correctly encoding all
emergency and exceptional situations is impractical.
Traditional access control models simply deny all
requests that are not permitted, and in doing so may
cause unpredictable and unacceptable consequences. To
overcome this issue, break-glass access control models
permit a subject to override an access control denial
if he accepts a set of obligatory actions and certain
override conditions are met. Existing break-glass
models are limited in how the override decision is
specified. They either grant overrides for a predefined
set of exceptional situations, or they grant unlimited
overrides to selected subjects, and as such, they
suffer from the difficulty of correctly encoding and
predicting all override situations and permissions. To
address this, we develop Rumpole, a novel break-glass
language that explicitly represents and infers
knowledge gaps and knowledge conflicts about the
subject's attributes and the contextual conditions,
such as emergencies. For example, a Rumpole policy can
distinguish whether or not it is known that an
emergency holds. This leads to a more informed decision
for an override request, whereas current break-glass
languages simply assume that there is no emergency if
the evidence for it is missing. To formally define
Rumpole, we construct a novel many-valued logic
programming language called Beagle. It has a simple
syntax similar to that of Datalog, and its semantics is
an extension of Fitting's bilattice-based semantics for
logic programs. Beagle is a knowledge non-monotonic
language, and as such, is strictly more expressive than
current many-valued logic programming languages.",
acknowledgement = ack-nhfb,
articleno = "2",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Jafari:2014:FEE,
author = "Mohammad Jafari and Reihaneh Safavi-Naini and Philip
W. L. Fong and Ken Barker",
title = "A Framework for Expressing and Enforcing Purpose-Based
Privacy Policies",
journal = j-TISSEC,
volume = "17",
number = "1",
pages = "3:1--3:??",
month = aug,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2629689",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Aug 11 19:17:17 MDT 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Purpose is a key concept in privacy policies. Although
some models have been proposed for enforcing
purpose-based privacy policies, little has been done in
defining formal semantics for purpose, and therefore an
effective enforcement mechanism for such policies has
remained a challenge. We have developed a framework for
expressing and enforcing such policies by giving a
formal definition of purpose and proposing a
modal-logic language for formally expressing purpose
constraints. The semantics of this language are defined
over an abstract model of workflows. Based on this
formal framework, we discuss some properties of
purpose, show how common forms of purpose constraints
can be formalized, how purpose-based constraints can be
connected to more general access control policies, and
how they can be enforced in a workflow-based
information system by extending common access control
technologies.",
acknowledgement = ack-nhfb,
articleno = "3",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Syta:2014:SAA,
author = "Ewa Syta and Henry Corrigan-Gibbs and Shu-Chun Weng
and David Wolinsky and Bryan Ford and Aaron Johnson",
title = "Security Analysis of Accountable Anonymity in
{Dissent}",
journal = j-TISSEC,
volume = "17",
number = "1",
pages = "4:1--4:??",
month = aug,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2629621",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Aug 11 19:17:17 MDT 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Users often wish to communicate anonymously on the
Internet, for example, in group discussion or instant
messaging forums. Existing solutions are vulnerable to
misbehaving users, however, who may abuse their
anonymity to disrupt communication. Dining
Cryptographers Networks (DC-nets) leave groups
vulnerable to denial-of-service and Sybil attacks; mix
networks are difficult to protect against traffic
analysis; and accountable voting schemes are unsuited
to general anonymous messaging. Dissent is the first
general protocol offering provable anonymity and
accountability for moderate-size groups, while
efficiently handling unbalanced communication demands
among users. We present an improved and hardened
dissent protocol, define its precise security
properties, and offer rigorous proofs of these
properties. The improved protocol systematically
addresses the delicate balance between provably hiding
the identities of well-behaved users, while provably
revealing the identities of disruptive users, a
challenging task because many forms of misbehavior are
inherently undetectable. The new protocol also
addresses several nontrivial attacks on the original
dissent protocol stemming from subtle design flaws.",
acknowledgement = ack-nhfb,
articleno = "4",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Chapin:2014:SRP,
author = "Peter Chapin and Christian Skalka",
title = "{SpartanRPC}: Remote Procedure Call Authorization in
Wireless Sensor Networks",
journal = j-TISSEC,
volume = "17",
number = "2",
pages = "5:1--5:??",
month = nov,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2644809",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Nov 19 12:26:42 MST 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We describe SpartanRPC, a secure middleware technology
that supports cooperation between distinct security
domains in wireless sensor networks. SpartanRPC extends
nesC to provide a link-layer remote procedure call
(RPC) mechanism, along with an enhancement of
configuration wirings that allow specification of
remote, dynamic endpoints. RPC invocation is secured
via an authorization logic that enables servers to
specify access policies and requires clients to prove
authorization. This mechanism is implemented using a
combination of symmetric and public key cryptography.
We report on benchmark testing of a prototype
implementation and on an application of the framework
that supports secure collaborative use and
administration of an existing WSN data-gathering
system.",
acknowledgement = ack-nhfb,
articleno = "5",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Gotzfried:2014:MAT,
author = "Johannes G{\"o}tzfried and Tilo M{\"u}ller",
title = "Mutual Authentication and Trust Bootstrapping towards
Secure Disk Encryption",
journal = j-TISSEC,
volume = "17",
number = "2",
pages = "6:1--6:??",
month = nov,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2663348",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Nov 19 12:26:42 MST 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The weakest link in software-based full disk
encryption is the authentication procedure. Since the
master boot record must be present unencrypted in order
to launch the decryption of remaining system parts, it
can easily be manipulated and infiltrated by bootkits
that perform keystroke logging; consequently,
password-based authentication schemes become
attackable. The current technological response, as
enforced by BitLocker, verifies the integrity of the
boot process by use of the trusted platform module.
But, as we show, this countermeasure is insufficient in
practice. We present STARK, the first tamperproof
authentication scheme that mutually authenticates the
computer and the user in order to resist keylogging
during boot. To achieve this, STARK implements trust
bootstrapping from a secure token to the whole PC. The
secure token is an active USB drive that verifies the
integrity of the PC and indicates the verification
status by an LED to the user. This way, users can
ensure the authenticity of the PC before entering their
passwords.",
acknowledgement = ack-nhfb,
articleno = "6",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Basin:2014:KYE,
author = "David Basin and Cas Cremers",
title = "Know Your Enemy: Compromising Adversaries in Protocol
Analysis",
journal = j-TISSEC,
volume = "17",
number = "2",
pages = "7:1--7:??",
month = nov,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2658996",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Nov 19 12:26:42 MST 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We present a symbolic framework, based on a modular
operational semantics, for formalizing different
notions of compromise relevant for the design and
analysis of cryptographic protocols. The framework's
rules can be combined to specify different adversary
capabilities, capturing different practically-relevant
notions of key and state compromise. The resulting
adversary models generalize the models currently used
in different domains, such as security models for
authenticated key exchange. We extend an existing
security-protocol analysis tool, Scyther, with our
adversary models. This extension systematically
supports notions such as weak perfect forward secrecy,
key compromise impersonation, and adversaries capable
of state-reveal queries. Furthermore, we introduce the
concept of a protocol-security hierarchy, which
classifies the relative strength of protocols against
different adversaries. In case studies, we use Scyther
to analyse protocols and automatically construct
protocol-security hierarchies in the context of our
adversary models. Our analysis confirms known results
and uncovers new attacks. Additionally, our hierarchies
refine and correct relationships between protocols
previously reported in the cryptographic literature.",
acknowledgement = ack-nhfb,
articleno = "7",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Li:2014:SCA,
author = "Peng Li and Debin Gao and Michael K. Reiter",
title = "{StopWatch}: a Cloud Architecture for Timing Channel
Mitigation",
journal = j-TISSEC,
volume = "17",
number = "2",
pages = "8:1--8:??",
month = nov,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2670940",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Nov 19 12:26:42 MST 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib;
http://www.math.utah.edu/pub/tex/bib/tissec.bib;
http://www.math.utah.edu/pub/tex/bib/virtual-machines.bib",
abstract = "This article presents StopWatch, a system that defends
against timing-based side-channel attacks that arise
from coresidency of victims and attackers in
infrastructure-as-a-service clouds. StopWatch
triplicates each cloud-resident guest virtual machine
(VM) and places replicas so that the three replicas of
a guest VM are coresident with nonoverlapping sets of
(replicas of) other VMs. StopWatch uses the timing of
I/O events at a VM's replicas collectively to determine
the timings observed by each one or by an external
observer, so that observable timing behaviors are
similarly likely in the absence of any other
individual, coresident VMs. We detail the design and
implementation of StopWatch in Xen, evaluate the
factors that influence its performance, demonstrate its
advantages relative to alternative defenses against
timing side channels with commodity hardware, and
address the problem of placing VM replicas in a cloud
under the constraints of StopWatch so as to still
enable adequate cloud utilization.",
acknowledgement = ack-nhfb,
articleno = "8",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Pietro:2015:SGE,
author = "Roberto {Di Pietro} and Gabriele Oligeri",
title = "Silence is Golden: Exploiting Jamming and Radio
Silence to Communicate",
journal = j-TISSEC,
volume = "17",
number = "3",
pages = "9:1--9:??",
month = mar,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2699906",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Mar 27 17:03:46 MDT 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Jamming techniques require only moderate resources to
be deployed, while their effectiveness in disrupting
communications is unprecedented. In this article, we
introduce several contributions to jamming mitigation.
In particular, we introduce a novel adversary model
that has both (unlimited) jamming reactive capabilities
as well as powerful (but limited) proactive jamming
capabilities. Under this adversary model, to the best
of our knowledge more powerful than any other adversary
model addressed in the literature, the communication
bandwidth provided by current anti-jamming solutions
drops to zero. We then present Silence is Golden (SiG):
a novel anti-jamming protocol that, introducing a
tunable, asymmetric communication channel, is able to
mitigate the adversary capabilities, enabling the
parties to communicate. For instance, with SiG it is
possible to deliver a 128-bits-long message with a
probability greater than 99\% in 4096 time slots
despite the presence of a jammer that jams all
on-the-fly communications and 74\% of the silent radio
spectrum-while competing proposals simply fail.
Moreover, when SiG is used in a scenario in which the
adversary can jam only a subset of all the available
frequencies, performance experiences a boost: a
128-bits-long message is delivered within just 17 time
slots for an adversary able to jam 90\% of the
available frequencies. We present a thorough
theoretical analysis for the solution, which is
supported by extensive simulation results, showing the
viability of our proposal.",
acknowledgement = ack-nhfb,
articleno = "9",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Rupp:2015:CTM,
author = "Andy Rupp and Foteini Baldimtsi and Gesine
Hinterw{\"a}lder and Christof Paar",
title = "Cryptographic Theory Meets Practice: Efficient and
Privacy-Preserving Payments for Public Transport",
journal = j-TISSEC,
volume = "17",
number = "3",
pages = "10:1--10:??",
month = mar,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2699904",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Mar 27 17:03:46 MDT 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We propose a new lightweight cryptographic payment
scheme for transit systems, called P4R
(Privacy-Preserving Pre-Payments with Refunds), which
is suitable for low-cost user devices with limited
capabilities. Using P4R, users deposit money to obtain
one-show credentials, where each credential allows the
user to make an arbitrary ride on the system. The trip
fare is determined on-the-fly at the end of the trip.
If the deposit for the credential exceeds this fare,
the user obtains a refund. Refund values collected over
several trips are aggregated in a single token, thereby
saving memory and increasing privacy. Our solution
builds on Brands's e-cash scheme to realize the
prepayment system and on Boneh-Lynn-Shacham (BLS)
signatures to implement the refund capabilities.
Compared to a Brands-only solution for transportation
payment systems, P4R allows us to minimize the number
of coins a user needs to pay for his rides and thus
minimizes the number of expensive withdrawal
transactions, as well as storage requirements for the
fairly large coins. Moreover, P4R enables flexible
pricing because it allows for exact payments of
arbitrary amounts (within a certain range) using a
single fast paying (and refund) transaction.
Fortunately, the mechanisms enabling these features
require very little computational overhead. Choosing
contemporary security parameters, we implemented P4R on
a prototyping payment device and show its suitability
for future transit payment systems. Estimation results
demonstrate that the data required for 20 rides consume
less than 10KB of memory, and the payment and refund
transactions during a ride take less than half a
second. We show that malicious users are not able to
cheat the system by receiving a refund that exceeds the
overall deposit minus the overall fare and can be
identified during double-spending checks. At the same
time, the system protects the privacy of honest users
in that transactions are anonymous (except for
deposits) and trips are unlinkable.",
acknowledgement = ack-nhfb,
articleno = "10",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Serra:2015:POA,
author = "Edoardo Serra and Sushil Jajodia and Andrea Pugliese
and Antonino Rullo and V. S. Subrahmanian",
title = "{Pareto}-Optimal Adversarial Defense of Enterprise
Systems",
journal = j-TISSEC,
volume = "17",
number = "3",
pages = "11:1--11:??",
month = mar,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2699907",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Mar 27 17:03:46 MDT 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The National Vulnerability Database (NVD) maintained
by the US National Institute of Standards and
Technology provides valuable information about
vulnerabilities in popular software, as well as any
patches available to address these vulnerabilities.
Most enterprise security managers today simply patch
the most dangerous vulnerabilities-an adversary can
thus easily compromise an enterprise by using less
important vulnerabilities to penetrate an enterprise.
In this article, we capture the vulnerabilities in an
enterprise as a Vulnerability Dependency Graph (VDG)
and show that attacks graphs can be expressed in them.
We first ask the question: What set of vulnerabilities
should an attacker exploit in order to maximize his
expected impact? We show that this problem can be
solved as an integer linear program. The defender would
obviously like to minimize the impact of the worst-case
attack mounted by the attacker-but the defender also
has an obligation to ensure a high productivity within
his enterprise. We propose an algorithm that finds a
Pareto-optimal solution for the defender that allows
him to simultaneously maximize productivity and
minimize the cost of patching products on the
enterprise network. We have implemented this framework
and show that runtimes of our computations are all
within acceptable time bounds even for large VDGs
containing 30K edges and that the balance between
productivity and impact of attacks is also
acceptable.",
acknowledgement = ack-nhfb,
articleno = "11",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ding:2015:VED,
author = "Steven H. H. Ding and Benjamin C. M. Fung and Mourad
Debbabi",
title = "A Visualizable Evidence-Driven Approach for Authorship
Attribution",
journal = j-TISSEC,
volume = "17",
number = "3",
pages = "12:1--12:??",
month = mar,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2699910",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Mar 27 17:03:46 MDT 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The Internet provides an ideal anonymous channel for
concealing computer-mediated malicious activities, as
the network-based origins of critical electronic
textual evidence (e.g., emails, blogs, forum posts,
chat logs, etc.) can be easily repudiated. Authorship
attribution is the study of identifying the actual
author of the given anonymous documents based on the
text itself, and for decades, many linguistic
stylometry and computational techniques have been
extensively studied for this purpose. However, most of
the previous research emphasizes promoting the
authorship attribution accuracy, and few works have
been done for the purpose of constructing and
visualizing the evidential traits. In addition, these
sophisticated techniques are difficult for cyber
investigators or linguistic experts to interpret. In
this article, based on the End-to-End Digital
Investigation (EEDI) framework, we propose a
visualizable evidence-driven approach, namely VEA,
which aims at facilitating the work of cyber
investigation. Our comprehensive controlled experiment
and the stratified experiment on the real-life Enron
email dataset demonstrate that our approach can achieve
even higher accuracy than traditional methods;
meanwhile, its output can be easily visualized and
interpreted as evidential traits. In addition to
identifying the most plausible author of a given text,
our approach also estimates the confidence for the
predicted result based on a given identification
context and presents visualizable linguistic evidence
for each candidate.",
acknowledgement = ack-nhfb,
articleno = "12",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Lee:2015:GAP,
author = "Hyojeong Lee and Jeff Seibert and Dylan Fistrovic and
Charles Killian and Cristina Nita-Rotaru",
title = "{Gatling}: Automatic Performance Attack Discovery in
Large-Scale Distributed Systems",
journal = j-TISSEC,
volume = "17",
number = "4",
pages = "13:1--13:??",
month = apr,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2714565",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Apr 24 17:39:52 MDT 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "In this article, we propose Gatling, a framework that
automatically finds performance attacks caused by
insider attackers in large-scale message-passing
distributed systems. In performance attacks, malicious
nodes deviate from the protocol when sending or
creating messages, with the goal of degrading system
performance. We identify a representative set of basic
malicious message delivery and lying actions and design
a greedy search algorithm that finds effective attacks
consisting of a subset of these actions. Although lying
malicious actions are protocol dependent, requiring the
format and meaning of messages, Gatling captures them
without needing to modify the target system by using a
type-aware compiler. We have implemented and used
Gatling on nine systems, a virtual coordinate system, a
distributed hash table lookup service and application,
two multicast systems and one file sharing application,
and three secure systems designed specifically to
tolerate insiders, two based on virtual coordinates and
one using Outlier Detection, one invariant derived from
physical laws, and the last one a Byzantine resilient
replication system. We found a total of 48 attacks,
with the time needed to find each attack ranging from a
few minutes to a few hours.",
acknowledgement = ack-nhfb,
articleno = "13",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Zhao:2015:PGA,
author = "Ziming Zhao and Gail-Joon Ahn and Hongxin Hu",
title = "Picture Gesture Authentication: Empirical Analysis,
Automated Attacks, and Scheme Evaluation",
journal = j-TISSEC,
volume = "17",
number = "4",
pages = "14:1--14:??",
month = apr,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2701423",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Apr 24 17:39:52 MDT 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Picture gesture authentication has been recently
introduced as an alternative login experience to
text-based password on touch-screen devices. In
particular, the newly on market Microsoft Windows 8TM
operating system adopts such an alternative
authentication to complement its traditional text-based
authentication. We present an empirical analysis of
picture gesture authentication on more than 10,000
picture passwords collected from more than 800 subjects
through online user studies. Based on the findings of
our user studies, we propose a novel attack framework
that is capable of cracking passwords on previously
unseen pictures in a picture gesture authentication
system. Our approach is based on the concept of
selection function that models users' thought processes
in selecting picture passwords. Our evaluation results
show the proposed approach could crack a considerable
portion of picture passwords under different settings.
Based on the empirical analysis and attack results, we
comparatively evaluate picture gesture authentication
using a set of criteria for a better understanding of
its advantages and limitations.",
acknowledgement = ack-nhfb,
articleno = "14",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Erway:2015:DPD,
author = "C. Chris Erway and Alptekin K{\"u}p{\c{c}}{\"u} and
Charalampos Papamanthou and Roberto Tamassia",
title = "Dynamic Provable Data Possession",
journal = j-TISSEC,
volume = "17",
number = "4",
pages = "15:1--15:??",
month = apr,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2699909",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Apr 24 17:39:52 MDT 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "As storage-outsourcing services and resource-sharing
networks have become popular, the problem of
efficiently proving the integrity of data stored at
untrusted servers has received increased attention. In
the Provable Data Possession (PDP) model, the client
preprocesses the data and then sends them to an
untrusted server for storage while keeping a small
amount of meta-data. The client later asks the server
to prove that the stored data have not been tampered
with or deleted (without downloading the actual data).
However, existing PDP schemes apply only to static (or
append-only) files. We present a definitional framework
and efficient constructions for Dynamic Provable Data
Possession (DPDP), which extends the PDP model to
support provable updates to stored data. We use a new
version of authenticated dictionaries based on rank
information. The price of dynamic updates is a
performance change from $ O(1) $ to $ O(\log n) $ (or $
O(n^\epsilon \log n)$) for a file consisting of $n$
blocks while maintaining the same (or better,
respectively) probability of misbehavior detection. Our
experiments show that this slowdown is very low in
practice (e.g., 415KB proof size and 30ms computational
overhead for a 1GB file). We also show how to apply our
DPDP scheme to outsourced file systems and version
control systems (e.g., CVS).",
acknowledgement = ack-nhfb,
articleno = "15",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Oren:2015:AIU,
author = "Yossef Oren and Angelos D. Keromytis",
title = "Attacking the {Internet} Using Broadcast Digital
Television",
journal = j-TISSEC,
volume = "17",
number = "4",
pages = "16:1--16:??",
month = apr,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2723159",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Apr 24 17:39:52 MDT 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "In the attempt to bring modern broadband Internet
features to traditional broadcast television, the
Digital Video Broadcasting (DVB) consortium introduced
a specification called Hybrid Broadcast-Broadband
Television (HbbTV), which allows broadcast streams to
include embedded HTML content that is rendered by the
television. This system is already in very wide
deployment in Europe and has recently been adopted as
part of the American digital television standard. Our
analyses of the specifications, and of real systems
implementing them, show that the broadband and
broadcast systems are combined insecurely. This enables
a large-scale exploitation technique with a localized
geographical footprint based on Radio Frequency (RF)
injection, which requires a minimal budget and
infrastructure and is remarkably difficult to detect.
In this article, we present the attack methodology and
a number of follow-on exploitation techniques that
provide significant flexibility to attackers.
Furthermore, we demonstrate that the technical
complexity and required budget are low, making this
attack practical and realistic, especially in areas
with high population density: In a dense urban area, an
attacker with a budget of about 450 can target more
than 20,000 devices in a single attack. A unique aspect
of this attack is that, in contrast to most Internet of
Things/Cyber-Physical System threat scenarios, where
the attack comes from the data network side and affects
the physical world, our attack uses the physical
broadcast network to attack the data network.",
acknowledgement = ack-nhfb,
articleno = "16",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{DeCarneDeCarnavalet:2015:LSE,
author = "Xavier {De Carn{\'e} De Carnavalet} and Mohammad
Mannan",
title = "A Large-Scale Evaluation of High-Impact Password
Strength Meters",
journal = j-TISSEC,
volume = "18",
number = "1",
pages = "1:1--1:??",
month = jun,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2739044",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jun 10 08:04:25 MDT 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Passwords are ubiquitous in our daily digital lives.
They protect various types of assets ranging from a
simple account on an online newspaper website to our
health information on government websites. However, due
to the inherent value they protect, attackers have
developed insights into cracking/guessing passwords
both offline and online. In many cases, users are
forced to choose stronger passwords to comply with
password policies; such policies are known to alienate
users and do not significantly improve password
quality. Another solution is to put in place proactive
password-strength meters/checkers to give feedback to
users while they create new passwords. Millions of
users are now exposed to these meters on highly popular
web services that use user-chosen passwords for
authentication. More recently, these meters are also
being built into popular password managers, which
protect several user secrets including passwords.
Recent studies have found evidence that some meters
actually guide users to choose better passwords-which
is a rare bit of good news in password research.
However, these meters are mostly based on ad hoc
design. At least, as we found, most vendors do not
provide any explanation for their design choices,
sometimes making them appear as a black box. We analyze
password meters deployed in selected popular websites
and password managers. We document obfuscated
source-available meters, infer the algorithm behind the
closed-source ones, and measure the strength labels
assigned to common passwords from several password
dictionaries. From this empirical analysis with
millions of passwords, we shed light on how the server
end of some web service meters functions and provide
examples of highly inconsistent strength outcomes for
the same password in different meters, along with
examples of many weak passwords being labeled as strong
or even excellent. These weaknesses and inconsistencies
may confuse users in choosing a stronger password, and
thus may weaken the purpose of these meters. On the
other hand, we believe these findings may help improve
existing meters and possibly make them an effective
tool in the long run.",
acknowledgement = ack-nhfb,
articleno = "1",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Karame:2015:MBS,
author = "Ghassan O. Karame and Elli Androulaki and Marc
Roeschlin and Arthur Gervais and Srdjan Capkun",
title = "Misbehavior in Bitcoin: a Study of Double-Spending and
Accountability",
journal = j-TISSEC,
volume = "18",
number = "1",
pages = "2:1--2:??",
month = jun,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2732196",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jun 10 08:04:25 MDT 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Bitcoin is a decentralized payment system that relies
on Proof-of-Work (PoW) to resist double-spending
through a distributed timestamping service. To ensure
the operation and security of Bitcoin, it is essential
that all transactions and their order of execution are
available to all Bitcoin users. Unavoidably, in such a
setting, the security of transactions comes at odds
with transaction privacy. Motivated by the fact that
transaction confirmation in Bitcoin requires tens of
minutes, we analyze the conditions for performing
successful double-spending attacks against fast
payments in Bitcoin, where the time between the
exchange of currency and goods is short (in the order
of a minute). We show that unless new detection
techniques are integrated in the Bitcoin
implementation, double-spending attacks on fast
payments succeed with considerable probability and can
be mounted at low cost. We propose a new and
lightweight countermeasure that enables the detection
of double-spending attacks in fast transactions. In
light of such misbehavior, accountability becomes
crucial. We show that in the specific case of Bitcoin,
accountability complements privacy. To illustrate this
tension, we provide accountability and privacy
definition for Bitcoin, and we investigate analytically
and empirically the privacy and accountability
provisions in Bitcoin.",
acknowledgement = ack-nhfb,
articleno = "2",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Culnane:2015:VVV,
author = "Chris Culnane and Peter Y. A. Ryan and Steve Schneider
and Vanessa Teague",
title = "{vVote}: a Verifiable Voting System",
journal = j-TISSEC,
volume = "18",
number = "1",
pages = "3:1--3:??",
month = jun,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2746338",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jun 10 08:04:25 MDT 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "The Pr{\^e}t {\`a} Voter cryptographic voting system
was designed to be flexible and to offer voters a
familiar and easy voting experience. In this article,
we present our development of the Pr{\^e}t {\`a} Voter
design to a practical implementation used in a real
state election in November 2014, called vVote. As well
as solving practical engineering challenges, we have
also had to tailor the system to the idiosyncrasies of
elections in the Australian state of Victoria and the
requirements of the Victorian Electoral Commission.
This article includes general background, user
experience, and details of the cryptographic protocols
and human processes. We explain the problems, present
solutions, then analyze their security properties and
explain how they tie in to other design decisions.",
acknowledgement = ack-nhfb,
articleno = "3",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Doychev:2015:CTS,
author = "Goran Doychev and Boris K{\"o}pf and Laurent Mauborgne
and Jan Reineke",
title = "{CacheAudit}: a Tool for the Static Analysis of Cache
Side Channels",
journal = j-TISSEC,
volume = "18",
number = "1",
pages = "4:1--4:??",
month = jun,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2756550",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Wed Jun 10 08:04:25 MDT 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We present CacheAudit, a versatile framework for the
automatic, static analysis of cache side channels.
CacheAudit takes as input a program binary and a cache
configuration and derives formal, quantitative security
guarantees for a comprehensive set of side-channel
adversaries, namely, those based on observing cache
states, traces of hits and misses, and execution times.
Our technical contributions include novel abstractions
to efficiently compute precise overapproximations of
the possible side-channel observations for each of
these adversaries. These approximations then yield
upper bounds on the amount of information that is
revealed. In case studies, we apply CacheAudit to
binary executables of algorithms for sorting and
encryption, including the AES implementation from the
PolarSSL library, and the reference implementations of
the finalists of the eSTREAM stream cipher competition.
The results we obtain exhibit the influence of cache
size, line size, associativity, replacement policy, and
coding style on the security of the executables and
include the first formal proofs of security for
implementations with countermeasures such as preloading
and data-independent memory access patterns.",
acknowledgement = ack-nhfb,
articleno = "4",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Tan:2015:IAR,
author = "Rui Tan and Varun Badrinath Krishna and David K. Y.
Yau and Zbigniew Kalbarczyk",
title = "Integrity Attacks on Real-Time Pricing in Electric
Power Grids",
journal = j-TISSEC,
volume = "18",
number = "2",
pages = "5:1--5:??",
month = dec,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2790298",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 21 18:18:49 MST 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Modern information and communication technologies used
by electric power grids are subject to cyber-security
threats. This article studies the impact of integrity
attacks on real-time pricing (RTP), an emerging feature
of advanced power grids that can improve system
efficiency. Recent studies have shown that RTP creates
a closed loop formed by the mutually dependent
real-time price signals and price-taking demand. Such a
closed loop can be exploited by an adversary whose
objective is to destabilize the pricing system.
Specifically, small malicious modifications to the
price signals can be iteratively amplified by the
closed loop, causing highly volatile prices,
fluctuating power demand, and increased system
operating cost. This article adopts a control-theoretic
approach to deriving the fundamental conditions of RTP
stability under basic demand, supply, and RTP models
that characterize the essential behaviors of consumers,
suppliers, and system operators, as well as two broad
classes of integrity attacks, namely, the scaling and
delay attacks. We show that, under an approximated
linear time-invariant formulation, the RTP system is at
risk of being destabilized only if the adversary can
compromise the price signals advertised to consumers,
by either reducing their values in the scaling attack
or providing old prices to over half of all consumers
in the delay attack. The results provide useful
guidelines for system operators to analyze the impact
of various attack parameters on system stability so
that they may take adequate measures to secure RTP
systems.",
acknowledgement = ack-nhfb,
articleno = "5",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Alexander:2015:MCD,
author = "Perry Alexander and Lee Pike and Peter Loscocco and
George Coker",
title = "Model Checking Distributed Mandatory Access Control
Policies",
journal = j-TISSEC,
volume = "18",
number = "2",
pages = "6:1--6:??",
month = dec,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2785966",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 21 18:18:49 MST 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "This work examines the use of model checking
techniques to verify system-level security properties
of a collection of interacting virtual machines.
Specifically, we examine how local access control
policies implemented in individual virtual machines and
a hypervisor can be shown to satisfy global access
control constraints. The SAL model checker is used to
model and verify a collection of stateful domains with
protected resources and local MAC policies attempting
to access needed resources from other domains. The
model is described along with verification conditions.
The need to control state-space explosion is motivated
and techniques for writing theorems and limiting
domains explored. Finally, analysis results are
examined along with analysis complexity.",
acknowledgement = ack-nhfb,
articleno = "6",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ali:2015:RBI,
author = "Muhammad Qasim Ali and Ehab Al-Shaer",
title = "Randomization-Based Intrusion Detection System for
Advanced Metering Infrastructure*",
journal = j-TISSEC,
volume = "18",
number = "2",
pages = "7:1--7:??",
month = dec,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2814936",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 21 18:18:49 MST 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Smart grid deployment initiatives have been witnessed
in recent years. Smart grids provide bidirectional
communication between meters and head-end systems
through Advanced Metering Infrastructure (AMI). Recent
studies highlight the threats targeting AMI. Despite
the need for tailored Intrusion Detection Systems
(IDSs) for smart grids, very limited progress has been
made in this area. Unlike traditional networks, smart
grids have their own unique challenges, such as limited
computational power devices and potentially high
deployment cost, that restrict the deployment options
of intrusion detectors. We show that smart grids
exhibit deterministic and predictable behavior that can
be accurately modeled to detect intrusion. However, it
can also be leveraged by the attackers to launch
evasion attacks. To this end, in this article, we
present a robust mutation-based intrusion detection
system that makes the behavior unpredictable for the
attacker while keeping it deterministic for the system.
We model the AMI behavior using event logs collected at
smart collectors, which in turn can be verified using
the invariant specifications generated from the AMI
behavior and mutable configuration. Event logs are
modeled using fourth-order Markov chain and
specifications are written in Linear Temporal Logic
(LTL). To counter evasion and mimicry attacks, we
propose a configuration randomization module. The
approach provides robustness against evasion and
mimicry attacks; however, we discuss that it still can
be evaded to a certain extent. We validate our approach
on a real-world dataset of thousands of meters
collected at the AMI of a leading utility provider.",
acknowledgement = ack-nhfb,
articleno = "7",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Chong:2015:UAR,
author = "Stephen Chong and Ron {Van Der Meyden}",
title = "Using Architecture to Reason about Information
Security",
journal = j-TISSEC,
volume = "18",
number = "2",
pages = "8:1--8:??",
month = dec,
year = "2015",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2829949",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Dec 21 18:18:49 MST 2015",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "We demonstrate, by a number of examples, that
information flow security properties can be proved from
abstract architectural descriptions, which describe
only the causal structure of a system and local
properties of trusted components. We specify these
architectural descriptions of systems by generalizing
intransitive noninterference policies to admit the
ability to filter information passed between
communicating domains. A notion of refinement of such
system architectures is developed that supports
top-down development of architectural specifications
and proofs by abstraction of information security
properties. We also show that, in a concrete setting
where the causal structure is enforced by access
control, a static check of the access control setting
plus local verification of the trusted components is
sufficient to prove that a generalized intransitive
noninterference policy is satisfied.",
acknowledgement = ack-nhfb,
articleno = "8",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Shabtai:2016:BSU,
author = "Asaf Shabtai and Maya Bercovitch and Lior Rokach and
Ya'akov (Kobi) Gal and Yuval Elovici and Erez Shmueli",
title = "Behavioral Study of Users When Interacting with Active
Honeytokens",
journal = j-TISSEC,
volume = "18",
number = "3",
pages = "9:1--9:??",
month = apr,
year = "2016",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2854152",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Apr 15 13:02:47 MDT 2016",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Active honeytokens are fake digital data objects
planted among real data objects and used in an attempt
to detect data misuse by insiders. In this article, we
are interested in understanding how users (e.g.,
employees) behave when interacting with honeytokens,
specifically addressing the following questions: Can
users distinguish genuine data objects from
honeytokens? And, how does the user's behavior and
tendency to misuse data change when he or she is aware
of the use of honeytokens? First, we present an
automated and generic method for generating the
honeytokens that are used in the subsequent behavioral
studies. The results of the first study indicate that
it is possible to automatically generate honeytokens
that are difficult for users to distinguish from real
tokens. The results of the second study unexpectedly
show that users did not behave differently when
informed in advance that honeytokens were planted in
the database and that these honeytokens would be
monitored to detect illegitimate behavior. These
results can inform security system designers about the
type of environmental variables that affect people's
data misuse behavior and how to generate honeytokens
that evade detection.",
acknowledgement = ack-nhfb,
articleno = "9",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Benhamouda:2016:NFP,
author = "Fabrice Benhamouda and Marc Joye and Beno{\^\i}T
Libert",
title = "A New Framework for Privacy-Preserving Aggregation of
Time-Series Data",
journal = j-TISSEC,
volume = "18",
number = "3",
pages = "10:1--10:??",
month = apr,
year = "2016",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2873069",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Apr 15 13:02:47 MDT 2016",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Aggregator-oblivious encryption is a useful notion put
forward by Shi et al. in 2011 that allows an untrusted
aggregator to periodically compute an aggregate value
over encrypted data contributed by a set of users. Such
encryption schemes find numerous applications,
particularly in the context of privacy-preserving smart
metering. This article presents a general framework for
constructing privacy-preserving aggregator-oblivious
encryption schemes using a variant of Cramer--Shoup's
paradigm of smooth projective hashing. This abstraction
leads to new schemes based on a variety of complexity
assumptions. It also improves upon existing
constructions, providing schemes with shorter
ciphertexts and better encryption times.",
acknowledgement = ack-nhfb,
articleno = "10",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Zheng:2016:EUV,
author = "Nan Zheng and Aaron Paloski and Haining Wang",
title = "An Efficient User Verification System Using
Angle-Based Mouse Movement Biometrics",
journal = j-TISSEC,
volume = "18",
number = "3",
pages = "11:1--11:??",
month = apr,
year = "2016",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2893185",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Fri Apr 15 13:02:47 MDT 2016",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Biometric authentication verifies a user based on its
inherent, unique characteristics-who you are. In
addition to physiological biometrics, behavioral
biometrics has proven very useful in authenticating a
user. Mouse dynamics, with their unique patterns of
mouse movements, is one such behavioral biometric. In
this article, we present a user verification system
using mouse dynamics, which is transparent to users and
can be naturally applied for continuous
reauthentication. The key feature of our system lies in
using much more fine-grained (point-by-point)
angle-based metrics of mouse movements for user
verification. These new metrics are relatively unique
from person to person and independent of a computing
platform. Moreover, we utilize support vector machines
(SVMs) for quick and accurate classification. Our
technique is robust across different operating
platforms, and no specialized hardware is required. The
efficacy of our approach is validated through a series
of experiments, which are based on three sets of user
mouse movement data collected in controllable
environments and in the field. Our experimental results
show that the proposed system can verify a user in an
accurate and timely manner, with minor induced system
overhead.",
acknowledgement = ack-nhfb,
articleno = "11",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Ji:2016:GGD,
author = "Shouling Ji and Weiqing Li and Mudhakar Srivatsa and
Jing Selena He and Raheem Beyah",
title = "General Graph Data De-Anonymization: From Mobility
Traces to Social Networks",
journal = j-TISSEC,
volume = "18",
number = "4",
pages = "12:1--12:??",
month = may,
year = "2016",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2894760",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat May 21 08:19:26 MDT 2016",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "When people utilize social applications and services,
their privacy suffers a potential serious threat. In
this article, we present a novel, robust, and effective
de-anonymization attack to mobility trace data and
social data. First, we design a Unified Similarity (US)
measurement, which takes account of local and global
structural characteristics of data, information
obtained from auxiliary data, and knowledge inherited
from ongoing de-anonymization results. By analyzing the
measurement on real datasets, we find that some data
can potentially be de-anonymized accurately and the
other can be de-anonymized in a coarse granularity.
Utilizing this property, we present a US-based
De-Anonymization (DA) framework, which iteratively
de-anonymizes data with accuracy guarantee. Then, to
de-anonymize large-scale data without knowledge of the
overlap size between the anonymized data and the
auxiliary data, we generalize DA to an Adaptive
De-Anonymization (ADA) framework. By smartly working on
two core matching subgraphs, ADA achieves high
de-anonymization accuracy and reduces computational
overhead. Finally, we examine the presented
de-anonymization attack on three well-known mobility
traces: St Andrews, Infocom06, and Smallblue, and three
social datasets: ArnetMiner, Google+, and Facebook. The
experimental results demonstrate that the presented
de-anonymization framework is very effective and robust
to noise. The source code and employed datasets are now
publicly available at SecGraph [2015].",
acknowledgement = ack-nhfb,
articleno = "12",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Shay:2016:DPP,
author = "Richard Shay and Saranga Komanduri and Adam L. Durity
and Phillip (Seyoung) Huh and Michelle L. Mazurek and
Sean M. Segreti and Blase Ur and Lujo Bauer and Nicolas
Christin and Lorrie Faith Cranor",
title = "Designing Password Policies for Strength and
Usability",
journal = j-TISSEC,
volume = "18",
number = "4",
pages = "13:1--13:??",
month = may,
year = "2016",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2891411",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat May 21 08:19:26 MDT 2016",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Password-composition policies are the result of
service providers becoming increasingly concerned about
the security of online accounts. These policies
restrict the space of user-created passwords to
preclude easily guessed passwords and thus make
passwords more difficult for attackers to guess.
However, many users struggle to create and recall their
passwords under strict password-composition policies,
for example, ones that require passwords to have at
least eight characters with multiple character classes
and a dictionary check. Recent research showed that a
promising alternative was to focus policy requirements
on password length instead of on complexity. In this
work, we examine 15 password policies, many focusing on
length requirements. In doing so, we contribute the
first thorough examination of policies requiring longer
passwords. We conducted two online studies with over
20,000 participants, and collected both usability and
password-strength data. Our findings indicate that
password strength and password usability are not
necessarily inversely correlated: policies that lead to
stronger passwords do not always reduce usability. We
identify policies that are both more usable and more
secure than commonly used policies that emphasize
complexity rather than length requirements. We also
provide practical recommendations for service providers
who want their users to have strong yet usable
passwords.",
acknowledgement = ack-nhfb,
articleno = "13",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
@Article{Serwadda:2016:TRR,
author = "Abdul Serwadda and Vir V. Phoha and Zibo Wang and
Rajesh Kumar and Diksha Shukla",
title = "Toward Robotic Robbery on the Touch Screen",
journal = j-TISSEC,
volume = "18",
number = "4",
pages = "14:1--14:??",
month = may,
year = "2016",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2898353",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Sat May 21 08:19:26 MDT 2016",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "Despite the tremendous amount of research fronting the
use of touch gestures as a mechanism of continuous
authentication on smart phones, very little research
has been conducted to evaluate how these systems could
behave if attacked by sophisticated adversaries. In
this article, we present two Lego-driven robotic
attacks on touch-based authentication: a population
statistics-driven attack and a user-tailored attack.
The population statistics-driven attack is based on
patterns gleaned from a large population of users,
whereas the user-tailored attack is launched based on
samples stolen from the victim. Both attacks are
launched by a Lego robot that is trained on how to
swipe on the touch screen. Using seven verification
algorithms and a large dataset of users, we show that
the attacks cause the system's mean false acceptance
rate (FAR) to increase by up to fivefold relative to
the mean FAR seen under the standard zero-effort
impostor attack. The article demonstrates the threat
that robots pose to touch-based authentication and
provides compelling evidence as to why the zero-effort
attack should cease to be used as the benchmark for
touch-based authentication systems.",
acknowledgement = ack-nhfb,
articleno = "14",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
