Vídeos De Usenix 17

USENIX 17 Además del material de USENIX 17, ya están disponibles también los vídeos de las charlas. Aquí tenéis la lista completa: Opening Remarks and Awards When Your Threat Model Is “Everything”: Defensive Security in Modern Newsrooms How Double-Fetch Situations turn into Double-Fetch Vulnerabilities… Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts Ninja: Towards Transparent Tracing and Debugging on ARM Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX On the effectiveness of mitigations against floating-point timing channels Constant-Time Callees with Variable-Time Callers Neural Nets Can Learn Function Type Signatures From Binaries CAn’t Touch This… Efficient Protection of Path-Sensitive Control Security Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Venerable Variadic Vulnerabilities Vanquished Towards Practical Tools for Side Channel Aware Software Engineering… Strong and Efficient Cache Side-Channel Protection… CacheD: Identifying Cache-Based Timing Channels in Production Software An Ant in a World of Grasshoppers From Problems to Patterns to Practice… BinSim: Trace-based Semantic Binary Diffing… PlatPal: Detecting Malicious Documents with Platform Diversity Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART Global Measurement of DNS Manipulation Characterizing the Nature and Dynamics of Tor Exit Blocking DeTor: Provably Avoiding Geographic Regions in Tor SmartAuth: User-Centered Authorization for the Internet of Things AWare: Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 6thSense: A Context-aware Sensor-based Attack Detector for Smart Devices Identifier Binding Attacks and Defenses in Software-Defined Networks HELP: Helper-Enabled In-Band Device Pairing… Attacking the Brain: Races in the SDN Control Plane Detecting Credential Spearphishing in Enterprise Settings SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data When the Weakest Link is Strong… Hacking in Darkness: Return-oriented Programming against Secure Enclaves vTZ: Virtualizing ARM TrustZone Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing AuthentiCall: Efficient Identity and Content Authentication for Phone Calls Picking Up My Tab… TrustBase: An Architecture to Repair and Strengthen… Transcend: Detecting Concept Drift in Malware Classification Models Syntia: Synthesizing the Semantics of Obfuscated Code Predicting the Resilience of Obfuscated Code… Differential Privacy: From Theory to Deployment OSS-Fuzz - Google’s continuous fuzzing service for open source software Extension Breakdown… CCSP: Controlled Relaxation of Content Security Policies… Same-Origin Policy: Evaluation in Modern Browsers Locally Differentially Private Protocols for Frequency Estimation BLENDER: Enabling Local Search with a Hybrid Differential Privacy Model Computer Security, Privacy, and DNA Sequencing… BootStomp: On the Security of Bootloaders in Mobile Devices Seeing Through The Same Lens… Oscar: A Practical Page-Permissions-Based Scheme… PDF Mirage: Content Masking Attack Against Information-Based Online Services Loophole: Timing Attacks on Shared Event Loops in Chrome Game of Registrars… Speeding up detection of SHA-1 collision attacks… Phoenix: Rebirth of a Cryptographic Password-Hardening Service Vale: Verifying High-Performance Cryptographic Assembly Code Exploring User Perceptions of Discrimination in Online Targeted Advertising Measuring the Insecurity of Mobile Deep Links of Android How the Web Tangled Itself Towards Efficient Heap Overflow Discovery DR.
Leer más

Material De Usenix Security 17, sesiones técnicas y talleres

Hace una semana se celebró en Canadá la conferencia “académica” sobre ciber seguridad Usenix junto a un puñado de talleres. Todo el material está disponible de forma gratuita para descarga de ambos eventos: Sesiones Técnicas y Talleres. Aquí tenéis la lista completa de las charlas y sus correspondientes enlaces: Sesiones técnicas de Usenix Security ‘17 When Your Threat Model Is “Everything”: Defensive Security in Modern Newsrooms Erinn Clark, Lead Security Architect, First Look Media/The Intercept How Double-Fetch Situations turn into Double-Fetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel Paper Slides Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts Paper Ninja: Towards Transparent Tracing and Debugging on ARM Paper Slides Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX Paper On the effectiveness of mitigations against floating-point timing channels Paper Slides Constant-Time Callees with Variable-Time Callers Paper Slides Neural Nets Can Learn Function Type Signatures From Binaries Paper CAn’t Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory Paper Efficient Protection of Path-Sensitive Control Security Paper Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities Paper kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Paper Venerable Variadic Vulnerabilities Vanquished Paper Towards Practical Tools for Side Channel Aware Software Engineering: ‘Grey Box’ Modelling for Instruction Leakages Paper Slides Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory Paper Slides CacheD: Identifying Cache-Based Timing Channels in Production Software Paper An Ant in a World of Grasshoppers Ellen Cram Kowalczyk, Microsoft From Problems to Patterns to Practice: Privacy and User Respect in a Complex World Lea Kissner, Google BinSim: Trace-based Semantic Binary Diffing via System Call Sliced Segment Equivalence Checking Paper PlatPal: Detecting Malicious Documents with Platform Diversity Paper Slides Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART Paper Global Measurement of DNS Manipulation Paper Characterizing the Nature and Dynamics of Tor Exit Blocking Paper DeTor: Provably Avoiding Geographic Regions in Tor Paper SmartAuth: User-Centered Authorization for the Internet of Things Paper AWare: Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings Paper Slides 6thSense: A Context-aware Sensor-based Attack Detector for Smart Devices Paper Identifier Binding Attacks and Defenses in Software-Defined Networks Paper HELP: Helper-Enabled In-Band Device Pairing Resistant Against Signal Cancellation Paper Attacking the Brain: Races in the SDN Control Plane Paper Detecting Credential Spearphishing in Enterprise Settings Paper SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data Paper When the Weakest Link is Strong: Secure Collaboration in the Case of the Panama Papers Paper Slides Hacking in Darkness: Return-oriented Programming against Secure Enclaves Paper vTZ: Virtualizing ARM TrustZone Paper Slides Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Paper AuthentiCall: Efficient Identity and Content Authentication for Phone Calls Paper Picking Up My Tab: Understanding and Mitigating Synchronized Token Lifting and Spending in Mobile Payment Paper Slides TrustBase: An Architecture to Repair and Strengthen Certificate-based Authentication Paper Transcend: Detecting Concept Drift in Malware Classification Models Paper Syntia: Synthesizing the Semantics of Obfuscated Code Paper Predicting the Resilience of Obfuscated Code Against Symbolic Execution Attacks via Machine Learning Paper Differential Privacy: From Theory to Deployment Abhradeep Guha Thakurta, University of California, Santa Cruz OSS-Fuzz - Google’s continuous fuzzing service for open source software Slides Kostya Serebryany, Google Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies Paper CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition Paper Same-Origin Policy: Evaluation in Modern Browsers Paper Locally Differentially Private Protocols for Frequency Estimation Paper BLENDER: Enabling Local Search with a Hybrid Differential Privacy Model Paper Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More Paper BootStomp: On the Security of Bootloaders in Mobile Devices Paper Slides Seeing Through The Same Lens: Introspecting Guest Address Space At Native Speed Paper Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers Paper PDF Mirage: Content Masking Attack Against Information-Based Online Services Paper Loophole: Timing Attacks on Shared Event Loops in Chrome Paper Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers Paper Speeding up detection of SHA-1 collision attacks using unavoidable attack conditions Paper Phoenix: Rebirth of a Cryptographic Password-Hardening Service Paper Vale: Verifying High-Performance Cryptographic Assembly Code Paper Exploring User Perceptions of Discrimination in Online Targeted Advertising Paper Measuring the Insecurity of Mobile Deep Links of Android Paper How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security Paper Towards Efficient Heap Overflow Discovery Paper DR.
Leer más

Vídeos de Usenix Enigma 2017

Aquí tenéis los charlas (vídeos y algunas diapositivas) de la edición de este año de la conferencia Usenix Enigma: Human Computation with an Application to Passwords Moving Account Recovery beyond Email and the “Secret” Question Secrets at Scale: Automated Bootstrapping of Secrets & Identity in the Cloud Inside “MOAR TLS:” How We Think about Encouraging External HTTPS Adoption on the Web Ghost in the Machine: Challenges in Embedded Binary Security LLC Cache Attacks: Applicability and Countermeasures IoT, a Cybercriminal’s Paradise Hacking Sensors Test Driven Security in Continuous Integration As We May Code Leveraging the Power of Automated Reasoning in Security Analysis of Web Applications and Beyond Startups + Industry: How Everyone Can Win Behaviors and Patterns of Bulletproof and Anonymous Hosting Providers StreamAlert: A Serverless, Real-time Intrusion Detection Engine Neural and Behavioral Insights on Trust What Does the Brain Tell Us about Usable Security?
Leer más

Vídeos de USENIX Enigma 2016

Otra de las grandes conferencias USENIX que tuvo lugar a finales de enero Enigma 2016, enfocada a ataques emergentes, tiene publicado los vídeos de las presentaciones. La lista no es muy amplia, pero la mayoría muy interesantes: ToStaticHTML for Everyone! About DOMPurify, … Building a Competitive Hacking Team Verification, Auditing, and Evidence: If We Didn’t Notice Anything Wrong… Keys Under Doormats: Mandating Insecurity… Trust Beyond the First Hop–What Really Happens to Data Sent to HTTPS Websites Drops for Stuff: An Analysis of Reshipping Mule Scams Sanitize, Fuzz, and Harden Your C++ Code Dolla Dolla Bill Y’all: Cybercrime Cashouts Usable Security–The Source Awakens Defending, Detecting, and Responding to Hardware and Firmware Attacks Timeless Debugging Modern Automotive Security: History, Disclosure, and Consequences Protecting High Risk Users Opening Video PKI at Scale Using Short-lived Certificates We Need Something Better—Building STAR Vote Bullet-Proof Credit Card Processing Why Is Usable Security Hard, and What Should We Do about it?
Leer más

Material de USENIX 24 y sus talleres: WOOT, CSET, FOCI, HealthTech, 3GSE, HotSet y JETS

La organización sobre computación avanzada USENIX, celebra su 24 simposio sobre seguridad. Dicho evento termina hoy, pero el contenido de las charlas ya se encuentran disponibles: Post-Mortem of a Zombie: Conficker Cleanup After Six Years - Paper Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World - Paper Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem - Paper Under-Constrained Symbolic Execution: Correctness Checking for Real Code - Paper TaintPipe: Pipelined Symbolic Taint Analysis - Paper Type Casting Verification: Stopping an Emerging Attack Vector - Paper All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS - Paper Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS - Paper Eclipse Attacks on Bitcoin’s Peer-to-Peer Network - Paper Compiler-instrumented, Dynamic Secret-Redaction of Legacy Processes for Attacker Deception - Paper Control-Flow Bending: On the Effectiveness of Control-Flow Integrity - Paper Automatic Generation of Data-Oriented Exploits - Paper Protocol State Fuzzing of TLS Implementations - Paper Verified Correctness and Security of OpenSSL HMAC - Paper Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation - Paper To Pin or Not to Pin—Helping App Developers Bullet Proof Their TLS Connections - Paper De-anonymizing Programmers via Code Stylometry - Paper RAPTOR: Routing Attacks on Privacy in Tor - Paper Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services - Paper SecGraph: A Uniform and Open-source Evaluation System for Graph Data Anonymization and De-anonymization - Paper Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer - Paper Trustworthy Whole-System Provenance for the Linux Kernel - Paper Securing Self-Virtualizing Ethernet Devices - Paper EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning - Paper Marionette: A Programmable Network Traffic Obfuscation System - Paper CONIKS: Bringing Key Transparency to End Users - Paper Investigating the Computer Security Practices and Needs of Journalists - Paper Constants Count: Practical Improvements to Oblivious RAM - Paper Raccoon: Closing Digital Side-Channels through Obfuscated Execution - Paper M2R: Enabling Stronger Privacy in MapReduce Computation - Paper Measuring Real-World Accuracies and Biases in Modeling Password Guessability - Paper Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound - Paper Android Permissions Remystified: A Field Study on Contextual Integrity - Paper Phasing: Private Set Intersection Using Permutation-based Hashing - Paper Faster Secure Computation through Automatic Parallelization - Paper The Pythia PRF Service - Paper EVILCOHORT: Detecting Communities of Malicious Accounts on Online Services - Paper Trends and Lessons from Three Years Fighting Malicious Extensions - Paper Meerkat: Detecting Website Defacements through Image-based Object Recognition - Paper Recognizing Functions in Binaries with Neural Networks - Paper Reassembleable Disassembling - Paper How the ELF Ruined Christmas - Paper Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale - Paper You Shouldn’t Collect My Secrets: Thwarting Sensitive Keystroke Leakage in Mobile IME Apps - Paper Boxify: Full-fledged App Sandboxing for Stock Android - Paper Cookies Lack Integrity: Real-World Implications - Paper The Unexpected Dangers of Dynamic JavaScript - Paper ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities - Paper Anatomization and Protection of Mobile Apps’ Location Privacy Threats - Paper LinkDroid: Reducing Unregulated Aggregation of App Usage Behaviors - Paper PowerSpy: Location Tracking Using Mobile Device Power Analysis - Paper In the Compression Hornet’s Nest: A Security Study of Data Compression in Network Services - Paper Bohatei: Flexible and Elastic DDoS Defense - Paper Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge - Paper GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies - Paper Thermal Covert Channels on Multi-core Platforms - Paper Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors - Paper Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches - Paper A Placement Vulnerability Study in Multi-Tenant Public Clouds - Paper A Measurement Study on Co-residence Threat inside the Cloud - Paper Towards Discovering and Understanding Task Hijacking in Android - Paper Cashtags: Protecting the Input and Display of Sensitive Data - Paper SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps - Paper UIPicker: User-Input Privacy Identification in Mobile Applications - Paper Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents - Paper WebWitness: Investigating, Categorizing, and Mitigating Malware Download Paths - Paper Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits - Paper Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence - Paper A este evento le preceden una serie de talleres enfocados en temas más específicos, también dentro del ámbito de la seguridad informática: WOOT, CSET, FOCI, HealthTech, 3GSE, HotSet y JETS.
Leer más

Material del WOOT'14 y sesiones técnicas de 23 USENIX Security Symposium

El 19 de agosto se dio lugar en San Diego una nueva edición de la USENIX, empezando con los workshops (WOOT ‘14), seguido por la 23 edición del USENIX Security Symposium, durante los tres días siguientes, del 20 al 22. Aquí tenéis la lista de los workshops celebrados en la USENIX Workshop On Offensive Technology (WOOT) 2014. Podéis hacer click en cada enlace para saber más sobre el workshop y bajaros material del mismo, o si os queréis bajar todo el material de golpe, lo podéis hacer desde este enlace.
Leer más