DOCSLIB.ORG

Security and Privacy for Outsourced Computations. Amrit Kumar

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security and Privacy for Outsourced Computations. Amrit Kumar Security and privacy for outsourced computations. Amrit Kumar To cite this version: Amrit Kumar. Security and privacy for outsourced computations.. Cryptography and Security [cs.CR]. Université Grenoble Alpes, 2016. English. NNT : 2016GREAM093. tel-01687732 HAL Id: tel-01687732 https://tel.archives-ouvertes.fr/tel-01687732 Submitted on 18 Jan 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THESE` Pour obtenir le grade de DOCTEUR DE L’UNIVERSITE´ DE GRENOBLE Specialit´ e´ : Informatique Arretˆ e´ ministerial´ : 7 aoutˆ 2006 Present´ ee´ par Amrit Kumar These` dirigee´ par Pascal Lafourcade et codirigee´ par Cedric´ Lauradoux prepar´ ee´ au sein d’Equipe´ Privatics, Inria, Grenoble-Rhoneˆ Alpes et de l’Ecole´ Doctorale MSTII Security and Privacy of Hash-Based Software Applications These` soutenue publiquement le 20 octobre, 2016, devant le jury compose´ de : Mr. Refik Molva Professeur, Eurecom, President´ Mr. Gildas Avoine Professeur, INSA Rennes, Rapporteur Mr. Sebastien´ Gambs Professeur, Universite´ du Quebec´ a` Montreal,´ Rapporteur Mr. Kasper B. Rasmussen Professeur associe,´ University of Oxford, Examinateur Ms. Reihaneh Safavi-Naini Professeur, University of Calgary, Examinatrice Mr. Pascal Lafourcade Maˆıtre de Conference,´ Universite´ d’Auvergne, Directeur de these` Mr. Cedric´ Lauradoux Charge´ de Recherche, Inria, Co-Directeur de these` Acknowledgments Firstly, I would like to express my sincere gratitude to my advisors Dr. Cédric Lauradoux and Dr. Pascal Lafourcade for their continuous support during my PhD study and for their patience and motivation. The research reported in this dissertation would not have been possible without their guidance and help. Besides research, I have found their advice and guidance about other issues in life to be invaluable as well. I could not have imagined having better and friendly advisors to complete this journey. I would like to thank Prof. Gildas Avoine and Prof. Sébastien Gambs for reviewing this dissertation. I also extend my thanks to the rest of my PhD committee: Prof. Refik Molva, Prof. Reihaneh Safavi-Naini and Prof. Kasper B. Rasmussen, for accepting to be a part of the jury. I am extremely grateful for the financial support provided by the Labex persyval-lab (anr-11-labx-0025-01) funded by the French program Investissement d’avenir and also to MITACS for funding me an internship at University of Calgary. My sincere thanks goes to Prof. Reihaneh Safavi-Naini, who provided me an opportunity to join her team as an intern during my PhD, and for providing access to the research facilities during my stay at University of Calgary. I thank my collaborators for the stimulating discussions, for the sleepless nights we were working together before deadlines, and for all the fun we have had in the last three years. Last but not the least, I would like to thank my family: my parents and to my brother and sister and my fiancée for supporting me spiritually throughout my PhDand my life in general. iii Abstract Hashing and hash-based data structures are ubiquitous. Apart from their role in the design of efficient algorithms, they particularly form the core to many sensitive software applications. Whether it be in authentication on the Internet, integrity/identification of files, payment using Bitcoins, web proxies, or anti-viruses, the use of hashing algorithms might only be internal but yet very pervasive. This dissertation studies the pitfalls of employing hashing and hash-based data struc- tures in software applications, with a focus on their security and privacy implications. The mainstay of this dissertation is the security and privacy analysis of software solutions built atop Bloom filters — a popular hash-based data structure, and Safe Browsing — a malicious website detection tool developed by Google that uses hash functions. The soft- ware solutions studied in this dissertation have billions of clients, which include software developers and end users. For Bloom filters and their privacy, we study a novel use case, where they forman essential tool to privately query leaked databases of personal data. While for security, we study Bloom filters in adversarial settings. The study encompasses both theory and practice. From a theoretical standpoint, we define adversary models that capture the dif- ferent access privileges of an adversary on Bloom filters. We put the theory into practice by identifying several security related software solutions (employing Bloom filters) that are vulnerable to our attacks. This includes: a web crawler, a web proxy, a malware filter, forensic tools and an intrusion detection system. Our attacks are similar to traditional denial-of-service attacks capable of bringing the concerned infrastructures to knees. As for Safe Browsing, we study vulnerabilities in the architecture that an adversary can exploit. We show several attacks that can simultaneously increase traffic towards both the Safe Browsing server and the client. Our attacks are highly feasible as they essentially require inverting hash digests of 32 bits. We also study the privacy achieved by the service by analyzing the possibility of re-identifying websites visited by a client. Our analysis and experimental results show that Safe Browsing can potentially be used as a tool to track specific classes of individuals. This dissertation highlights the misunderstandings related to the use of hashing and hash-based data structures in a security and privacy context. These misunderstandings are the geneses of several malpractices that include the use of insecure hash functions, digest truncation among others. Motivated by our findings, we further explore several countermeasures to mitigate the ensuing security and privacy risks. Keywords: Hashing, Bloom filters, Safe Browsing, Security, Privacy, Denial-of-service. v Résumé Les fonctions de hachage et les structures de données qui leur sont associées sont om- niprésentes dans le monde numérique. En dehors de leurs rôles dans la conception d’algo- rithmes efficaces, elles sont aussi essentielles dans le domaine de sécurité et de protection de la vie privée. Elles permettent de protéger les mots de passe stockés sur les serveurs d’au- thentification ou protéger l’intégrité lors d’échange de fichiers. Elles sont omniprésentes dans tous les protocoles cryptographiques comme ceux de signature électronique. L’objective de cette thèse est d’analyser la sécurité et la protection de la vie privée des logiciels basés sur des fonctions de hachage. Dans ce contexte, nous nous intéressons plus particulièrement à deux applications. La première concerne les logiciels basés sur des filtres de Bloom — une structure de données basée sur le hachage. La deuxième est le service de “Safe Browsing”. Ce service, développé par Google, fournit une méthode sécurisée pour naviguer sur Internet tout en détectant les sites malveillants (sites de phishing ou malwares). Les deux applications sont très populaires, ayant des milliards d’utilisateurs. Pour des filtres de Bloom, nous étudions un nouveau cas d’utilisation, où ils constituent un outil essentiel pour interroger une base de données en respectant la vie privée. Nous analysons aussi la sécurité associée aux utilisations des filtres de Bloom dans un logiciel sensible. Notre étude aborde aussi bien les aspects théoriques que pratique. D’un point de vue théorique, nous définissons des modèles d’adversaire qui captent les différents accèsau filtre pour un adversaire. Nous mettons la théorie en pratique en identifiant la vulnérabilité de plusieurs logiciels basés sur des filtres de Bloom. Cela comprend: un robot web, un proxy, un filtre de malware, les outils de forensique et un système de détection d’intrusion. Nos attaques ressemblent aux attaques par déni de service. En ce qui concerne le service de “Safe Browsing”, nous étudions les vulnérabilités dans l’architecture qu’un adversaire puisse exploiter. Nous montrons plusieurs attaques qui peuvent simultanément augmenter le trafic vers le serveur et le client. Nous étudions également le niveau de la vie privée assuré par le service en analysant la possibilité de ré- indentifier des visites aux certains sites web. Notre analyse et les résultats expérimentaux montrent que le service de “Safe Browsing” pourrait être potentiellement utile comme un outil pour tracer certaines classes des individus sur Internet. Cette thèse met en lumière les idées fausses liées à l’utilisation de hachage et les structures de données basées sur le hachage dans le contexte de sécurité et de protection de la vie privée. Motivés par nos résultats, nous explorons en outre plusieurs contre- mesures pour augmenter le niveau de sécurité et de protection de la vie privée. Mots-clés: Hachage, Filtres de Bloom, Safe Browsing, Sécurité, Vie privée, Déni de service vii Contents Acknowledgments iii Abstract v Résumé vii 1 Introduction 1 1.1 Motivation 1 1.2 Problematics and Adopted Methodology 3 1.3 Contributions and Outline 5 1.3.1 Hash Functions for Privacy 5 1.3.2 Security and Privacy of Bloom Filters 5 1.3.3 Security
Load more

Recommended publications
  • Safe Browsing Services: to Track, Censor and Protect Thomas Gerbet, Amrit Kumar, Cédric Lauradoux
    Safe Browsing Services: to Track, Censor and Protect Thomas Gerbet, Amrit Kumar, Cédric Lauradoux To cite this version: Thomas Gerbet, Amrit Kumar, Cédric Lauradoux. Safe Browsing Services: to Track, Censor and Protect. [Research Report] RR-8686, INRIA. 2015. hal-01120186v1 HAL Id: hal-01120186 https://hal.inria.fr/hal-01120186v1 Submitted on 4 Mar 2015 (v1), last revised 8 Sep 2015 (v4) HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Safe Browsing Services: to Track, Censor and Protect Thomas Gerbet, Amrit Kumar, Cédric Lauradoux RESEARCH REPORT N° 8686 February 2015 Project-Teams PRIVATICS ISSN 0249-6399 ISRN INRIA/RR--8686--FR+ENG Safe Browsing Services: to Track, Censor and Protect Thomas Gerbet, Amrit Kumar, Cédric Lauradoux Project-Teams PRIVATICS Research Report n° 8686 — February 2015 — 25 pages Abstract: Users often inadvertently click malicious phishing or malware website links, and in doing so they sacrifice secret information and sometimes even fully compromise their devices. The purveyors of these sites are highly motivated and hence construct intelligently scripted URLs to remain inconspicuous over the Internet. In light of the ever increasing number of such URLs, new ingenious strategies have been invented to detect them and inform the end user when he is tempted to access such a link.
    [Show full text]
  • The Virtual Sphere 2.0: the Internet, the Public Sphere, and Beyond 230 Zizi Papacharissi
    Routledge Handbook of Internet Politics Edited by Andrew Chadwick and Philip N. Howard t&f proofs First published 2009 by Routledge 2 Park Square, Milton Park, Abingdon, Oxon OX14 4RN Simultaneously published in the USA and Canada by Routledge 270 Madison Avenue, New York, NY 10016 Routledge is an imprint of the Taylor & Francis Group, an Informa business © 2009 Editorial selection and matter, Andrew Chadwick and Philip N. Howard; individual chapters the contributors Typeset in Times New Roman by Taylor & Francis Books Printed and bound in Great Britain by MPG Books Ltd, Bodmin All rights reserved. No part of this book may be reprinted or reproduced or utilized in any form or by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying and recording, or in any information storage or retrieval system, without permission in writing from the publishers. British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging in Publication Data Routledge handbook of Internet politicst&f / edited proofs by Andrew Chadwick and Philip N. Howard. p. cm. Includes bibliographical references and index. 1. Internet – Political aspects. 2. Political participation – computer network resources. 3. Communication in politics – computer network resources. I. Chadwick, Andrew. II. Howard, Philip N. III. Title: Handbook of Internet Politics. IV. Title: Internet Politics. HM851.R6795 2008 320.0285'4678 – dc22 2008003045 ISBN 978-0-415-42914-6 (hbk) ISBN 978-0-203-96254-1 (ebk) Contents List of figures ix List of tables x List of contributors xii Acknowledgments xvi 1 Introduction: new directions in internet politics research 1 Andrew Chadwick and Philip N.
    [Show full text]
  • Mar-Apr 2006 Wkg Copy
    MARCH-APRIL 2006 CYBER CRIME NEWSLETTER Issue 17 Table of Contents News Highlights in This Issue: Features 2 Law Journal on Search and Seizure Available Laws to Stop Illegal Online Gambling Urged by 49 AGs 5 Net Victimization Seminar Held at Ole Miss FRCP Electronic Discovery Amendments Okayed Law Journal on Search and Seizure Available 2 AGs Fighting Cyber Crimes 5 49 AGs Urge Laws Stopping Illegal Online Gambling AG Lockyer and FTC Settle Spam Suit E-Mail Provider Not Liable for User’s Child Pornography 10 Connecticut AG Urges Changes to MySpace.com AG Crist: Judgment Against Katrina Fraud Web Site Illinois AG Sets Up ID Theft Hotline FBI Survey: Computer Crimes Costs $ 67 Billion/Year 16 AG Kline Presents Internet Safety Workshop Louisiana AG Speaks at Cyber Crime Workshop AG Reilly Arrests Online Child Pornographers Virginia Law Requires Schools to Teach Cyber Safety 21 Michigan AG Arrests Online Child Predator AG Hatch Promotes ID Theft Legislation Mississippi AG Announces Plea in Phishing Case AG Nixon Files Felony Charges in ID Theft Case Report Outlines Needs for Forensics Labs 21 Nebraska AG Kicks Off Internet Safety Month AG Chanos: Internet Child Pornography Ring Indicted New Mexico AG’s ICAC Unit Captures Net Predator Supreme Court Approves Electronic Discovery Rules 4 AG Spitzer Sues Seller of E-Mail Addresses North Carolina AG Urges State Classes on Net Crimes AG Petro Holds Town Meeting on Internet Safety E-Mail Service of Elusive Overseas Defendant Allowed 9 Pennsylvania AG’s Unit Charges Internet Predator AG McMaster: Internet Predator Arrested South Dakota AG Says Child Pornographer Sentenced Maryland Spam Law Does Not Violate Commerce Clause 13 AG Abbott: Grand Jury Indicted Child Pornographer Utah AG Unveils ID Theft Reporting System AG McKenna Settles With Deceptive Net Advertiser Internet Coalition Initiates “Stop Badware” Site 17 In the Courts 10 U.S.
    [Show full text]
  • Verbraucherpolitik Und Finanzmarkt: Neue Institutionen Braucht Das Land?
    A Service of Leibniz-Informationszentrum econstor Wirtschaft Leibniz Information Centre Make Your Publications Visible. zbw for Economics Metz, Rainer Article Verbraucherpolitik und Finanzmarkt: neue Institutionen braucht das Land? Vierteljahrshefte zur Wirtschaftsforschung Provided in Cooperation with: German Institute for Economic Research (DIW Berlin) Suggested Citation: Metz, Rainer (2009) : Verbraucherpolitik und Finanzmarkt: neue Institutionen braucht das Land?, Vierteljahrshefte zur Wirtschaftsforschung, ISSN 1861-1559, Duncker & Humblot, Berlin, Vol. 78, Iss. 3, pp. 96-109, http://dx.doi.org/10.3790/vjh.78.3.96 This Version is available at: http://hdl.handle.net/10419/99564 Standard-Nutzungsbedingungen: Terms of use: Die Dokumente auf EconStor dürfen zu eigenen wissenschaftlichen Documents in EconStor may be saved and copied for your Zwecken und zum Privatgebrauch gespeichert und kopiert werden. personal and scholarly purposes. Sie dürfen die Dokumente nicht für öffentliche oder kommerzielle You are not to copy documents for public or commercial Zwecke vervielfältigen, öffentlich ausstellen, öffentlich zugänglich purposes, to exhibit the documents publicly, to make them machen, vertreiben oder anderweitig nutzen. publicly available on the internet, or to distribute or otherwise use the documents in public. Sofern die Verfasser die Dokumente unter Open-Content-Lizenzen (insbesondere CC-Lizenzen) zur Verfügung gestellt haben sollten, If the documents have been made available under an Open gelten abweichend von diesen Nutzungsbedingungen die in der dort Content Licence (especially Creative Commons Licences), you genannten Lizenz gewährten Nutzungsrechte. may exercise further usage rights as specified in the indicated licence. www.econstor.eu Vierteljahrshefte zur Wirtschaftsforschung 78 (2009), 3, S. 96–109 Verbraucherpolitik und Finanzmarkt: Neue Institutionen braucht das Land?* von Rainer Metz Zusammenfassung: Auf die Verunsicherung der Verbraucher durch die Verluste auf dem Finanz- markt wurde mit einer Vielzahl von neuen Vorschlägen reagiert.
    [Show full text]
  • FSUG Annual Report 2016
    FSUG Annual Report 2016 TABLE OF CONTENTS FOREWORD ........................................................................................................................ 3 FSUG activities ..................................................................................................................... 3 Major research projects and policy papers ........................................................................ 4 FSUG priorities .................................................................................................................. 4 Wider engagement ............................................................................................................ 6 Special features ................................................................................................................. 6 ABOUT THE FSUG .............................................................................................................. 7 FSUG CONSULTATION RESPONSES ................................................................................ 8 European Commission consultation: Covered bonds in the EU ......................................... 8 Joint Consultation Paper on PRIIPs key information for EU retail investors ....................... 8 EU regulatory framework for financial services .................................................................. 9 Green Paper on Retail Financial Services ....................................................................... 10 FSUG analysis and proposals on the integration of the EU retail investment
    [Show full text]
  • Obtained by POLITICO
    UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION WASHINGTON, D.C. 20580 Bureau of Economics August s,· 2012 MEMORANDUM To: The Commission From: Christopher Adams and John Yun, Economists1 Re: Google, Inc., Matter No. 1110163 Rec: Close the investigation POLITICO Executive Summary In June 2011, the Commission authorized bycompulsory process to determine whether Google is engaging in anticompetitive practices with respect to its online search, online advertisement, and mobile phone businesses. In February 2012, staff apprised the Commission of the numerous theories of harm being considered and the evidence gathered to date. In this memo, we update the evidence and offer our final recommendation. We analyze Google's market power in search advertising and consider four theories of . harm regarding Google's business practices: (1} preferencing of search results through the practice of favoring its own web properties at the expense of rival content providers; Obtained(2} exclusive agreements with publishers and vendors in various distribution channels which deprive rival search platforms of users and advertisers; 1 Ann Miles provided valuable research assistance. We thank Jon Byars for his extraordinary work in programming the API feeds from c6mScore, creating data sets and analyzing the large amounts of data collected and provided. Thanks also to Matthew Chesnes and other colleagues in the Bureau of Economics for their assistance in various aspects of the case including data requests and analysis. 1 [ (3) restrictions on porting advertiser data to rival platforms through Google's terms and conditions governing the use of its AdWords API (application programing interface) software; (4) misappropriating content from Yelp and TripAdvisor.
    [Show full text]
  • Citizens Advice Annual Report 2019/20
    Annual report 2019/20 2 We are Citizens Advice We are Citizens Advice We can all face problems that seem complicated or intimidating. At Citizens Advice, we believe no one should have to face these problems without good quality, independent advice. Our network of charities offers confidential advice With the right evidence, we can show big online, over the phone, and in person, for free. organisations – from companies right up to the government – how they can make things better When we say we’re for everyone, we mean it. for people. People rely on us because we’re independent and totally impartial. That’s why we’re here: to give people the knowledge and the confidence they need to No one else sees so many people with so many find their way forward – whoever they are, and different kinds of problems, and that gives us a unique whatever their problem. insight into the challenges people are facing today. 3 Contents Contents Trustees’ report Strategic report Our year at Citizens Advice Financial statements 4 Introduction Introduction A message from our Chair and Chief Executive As we reflect on the past year, we have much to be proud of. In our long history, we’ve always been there for everyone and this year was no different. We helped 2.8 million people find a way forward, celebrated our 80th anniversary and tackled new and emerging challenges. Our service started the day after the outbreak of World War 2 to help people deal with the impacts of war. Since then, our strength has always been our ability to adapt and keep pace in an ever changing world and to be a trusted and stable source of support.
    [Show full text]
  • '“Fake News”: Reconsidering the Value of Untruthful Expression in the Face
    This is a repository copy of ‘“Fake news”: reconsidering the value of untruthful expression in the face of regulatory uncertainty’. White Rose Research Online URL for this paper: http://eprints.whiterose.ac.uk/141447/ Version: Accepted Version Article: Katsirea, I. orcid.org/0000-0003-4659-5292 (2019) ‘“Fake news”: reconsidering the value of untruthful expression in the face of regulatory uncertainty’. The Journal of Media Law, 10 (2). pp. 159-188. ISSN 1757-7632 https://doi.org/10.1080/17577632.2019.1573569 This is an Accepted Manuscript of an article published by Taylor & Francis in Journal of Media Law on 30/01/2019, available online: http://www.tandfonline.com/10.1080/17577632.2019.1573569 Reuse Items deposited in White Rose Research Online are protected by copyright, with all rights reserved unless indicated otherwise. They may be downloaded and/or printed for private study, or other acts as permitted by national copyright laws. The publisher or other rights holders may allow further reproduction and re-use of the full text version. This is indicated by the licence information on the White Rose Research Online record for the item. Takedown If you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing [email protected] including the URL of the record and the reason for the withdrawal request. [email protected] https://eprints.whiterose.ac.uk/ 1 ‘“Fake news”: Reconsidering the value of untruthful expression in the face of regulatory uncertainty’ DR. IRINI KATSIREA Centre for Freedom of the Media, Department of Journalism Studies, University of Sheffield E-mail:[email protected].
    [Show full text]
  • Audit of CDPH Food Establishment Inspections
    OFFICE OF INSPECTOR GENERAL City of Chicago REPORT OF THE OFFICE OF INSPECTOR GENERAL: ************************* CHICAGO DEPARTMENT OF PUBLIC HEALTH FOOD ESTABLISHMENT INSPECTION AUDIT NOVEMBER 2016 866-IG-TIPLINE (866-448-4754) www.chicagoinspectorgeneral.org OFFICE OF INSPECTOR GENERAL City of Chicago 740 N. Sedgwick Street, Suite 200 Chicago, Illinois 60654 Joseph M. Ferguson Telephone: (773) 478-7799 Inspector General Fax: (773) 478-3949 November 28, 2016 To the Mayor, Members of the City Council, City Clerk, City Treasurer, and residents of the City of Chicago: The City of Chicago Office of Inspector General (OIG) has completed an audit of the frequency of food establishment inspections conducted by the Chicago Department of Public Health (CDPH). Specifically, the objectives of this audit were to determine whether CDPH’s Food Protection Division conducted routine inspections of food establishments as often as required by the Department’s rules and regulations incorporating State law, conducted inspections triggered by complaints and reinspections of known violations in a timely manner, and accurately reported the results of inspections and reinspections through the City’s Data Portal. OIG concluded that, during the time period covered by the audit, CDPH did not conduct routine inspections of food establishments as often as required. CDPH has been out of compliance for a number of years; in fact, the Department could not state when, if ever, it last met the regulatory standards in this area. OIG determined that CDPH is seriously understaffed for conducting all the routine inspections required by law. However, we found that when CDPH identified a violation or received a complaint, it conducted reinspections and complaint-based inspections in a timely manner.
    [Show full text]
  • The Hacker's Aegis
    Emory Law Journal Volume 60 Issue 5 2010 The Hacker's Aegis Derek E. Bambauer Oliver Day Follow this and additional works at: https://scholarlycommons.law.emory.edu/elj Recommended Citation Derek E. Bambauer & Oliver Day, The Hacker's Aegis, 60 Emory L. J. 1051 (2010). Available at: https://scholarlycommons.law.emory.edu/elj/vol60/iss5/1 This Article is brought to you for free and open access by the Journals at Emory Law Scholarly Commons. It has been accepted for inclusion in Emory Law Journal by an authorized editor of Emory Law Scholarly Commons. For more information, please contact [email protected]. BAMBAUER&DAY GALLEYSFINAL 6/6/2011 10:27 AM THE HACKER’S AEGIS Derek E. Bambauer* ∗∗ Oliver Day ABSTRACT Intellectual property (IP) law stifles critical research on software security vulnerabilities, placing computer users at risk. Researchers who discover flaws often face IP-based legal threats if they reveal findings to anyone other than the software vendor. This Article argues that the interplay between law and vulnerability data challenges existing scholarship on how intellectual property law should regulate information about improvements on protected works, and suggests weakening, not enhancing, IP protections where infringement is difficult to detect, lucrative, and creates significant negative externalities. It proposes a set of three reforms—“patches,” in software terms—to protect security research. Legal reform would create immunity from civil IP liability for researchers who follow “responsible disclosure” rules. Linguistic reform would seek to make the term hacker less threatening either by recapturing the term’s original meaning, or abandoning it.
    [Show full text]
  • Automating Interpretations of Trustworthiness Marc Sel Royal Holloway, University of London
    Automating interpretations of trustworthiness Submitted by Marc Sel for the degree of Doctor of Philosophy of Royal Holloway, University of London 2021 Declaration I, Marc Sel, hereby declare that this thesis and the work presented in it is entirely my own. Where I have consulted the work of others, this is always clearly stated. Signed . (Marc Sel) Date: 1 To Trijntje. 2 Abstract Digital services have a significant impact on the lives of many individuals and organisations. Trust influences decisions regarding potential service providers, and continues to do so once a service provider has been selected. It is common to refer to the entity that is trusting as the trustor, and to the entity that is trusted as the trustee. There is no globally accepted model to describe trust in the context of digital services, nor to evaluate the trustworthiness of entities. Trust is commonly used in the context of digital services, yet it is overloaded with meaning and difficult to interpret. This thesis presents a novel model to describe and evaluate an entity’s trustworthiness. The model is referred to as the trustworthy ecosystem model. It is based on four building blocks: a data model, a rulebook, trustworthiness evaluation functions and instance data. The data model is expressed in First Order Logic. Rulebooks, which consist of constraints that reflect a particular context for reasoning about trustworthiness, are described using predi- cates. The entity that is evaluating is referred to as the evaluator, and the entity that is evaluated is the evaluation subject. The evaluator corresponds to a potential trustor, and the evaluation subject to a potential trustee.
    [Show full text]
  • A Privacy Analysis of Google and Yandex Safe Browsing Thomas Gerbet, Amrit Kumar, Cédric Lauradoux
    A Privacy Analysis of Google and Yandex Safe Browsing Thomas Gerbet, Amrit Kumar, Cédric Lauradoux To cite this version: Thomas Gerbet, Amrit Kumar, Cédric Lauradoux. A Privacy Analysis of Google and Yandex Safe Browsing. [Research Report] RR-8686, INRIA. 2015. hal-01120186v3 HAL Id: hal-01120186 https://hal.inria.fr/hal-01120186v3 Submitted on 24 Apr 2015 (v3), last revised 8 Sep 2015 (v4) HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Safe Browsing Services: to Track, Censor and Protect Thomas Gerbet, Amrit Kumar, Cédric Lauradoux RESEARCH REPORT N° 8686 February 2015 Project-Teams PRIVATICS ISSN 0249-6399 ISRN INRIA/RR--8686--FR+ENG Safe Browsing Services: to Track, Censor and Protect Thomas Gerbet, Amrit Kumar, Cédric Lauradoux Project-Teams PRIVATICS Research Report n° 8686 — February 2015 — 20 pages Abstract: Users often inadvertently click phishing or malware website links, and in doing so they sacrifice secret information and sometimes even fully compromise their devices. In light of the increasing number of such URLs, new strategies have been invented to detect them and prevent users from harm. At the forefront lies the Safe Browsing mechanism, which identifies unsafe URLs and notifies its users in real-time.
    [Show full text]