http://queue.acm.org/listing.cfm?item_topic=Security&qc_type=topics_list&filter=Security&page_title=Security&order=desc http://queue.acm.org/detail.cfm?id=3344779 Timing-based side-channel attacks are a particularly tricky class of attacks to deal with because the very thing you're often striving for can give you away. There are always more creative new instances of attacks to be found, so you need a principled way of thinking about defenses that address the class, not just a particular instantiation. That's what Ge et al. give us in "Time Protection, the Missing OS Abstraction." Just as operating systems prevent spatial inference through memory protection, so future operating systems will need to prevent temporal inference through time protection. It's going to be a long road to get there. The second paper chosen for this edition comes from NDSS'19 (Network and Distributed System Security Symposium) and studies the physiological and social implications of the ever-improving abilities of voice-imitation software. It seems people may be especially vulnerable to being fooled by fake voices. "The crux of voice (in)security: a brain study of speaker legitimacy detection," by Neupane et al., is a fascinating study with implications far beyond just the technology. Security Tue, 09 Jul 2019 13:53:09 GMT Adrian Colyer 3344779 http://queue.acm.org/detail.cfm?id=3301253 Giving operators a usable means of securing the methods they use to deploy and run applications is a win for everyone. Keeping the usability-focused abstractions provided by containers, while finding new ways to automate security and defend against attacks, is a great path forward. Security Wed, 19 Dec 2018 14:03:04 GMT Jessie Frazelle 3301253 http://queue.acm.org/detail.cfm?id=3295691 With the dramatic improvement in both computer speeds and the efficiency of SAT and other NP-hard solvers in the last decade, DRAs on statistical databases are no longer just a theoretical danger. The vast quantity of data products published by statistical agencies each year may give a determined attacker more than enough information to reconstruct some or all of a target database and breach the privacy of millions of people. Traditional disclosure-avoidance techniques are not designed to protect against this kind of attack. Security Wed, 28 Nov 2018 14:20:38 GMT Simson Garfinkel, John M. Abowd, Christian Martindale 3295691 http://queue.acm.org/detail.cfm?id=3281471 Spectre and Meltdown create a risk landscape that has more questions than answers. This article addresses how these vulnerabilities were triaged when they were announced and the practical defenses that are available. Ultimately, these vulnerabilities present a unique set of circumstances, but for the vulnerability management program at Goldman Sachs, the response was just another day at the office. Security Tue, 25 Sep 2018 13:53:05 GMT Rich Bennett, Craig Callahan, Stacy Jones, Matt Levine, Merrill Miller, Andy Ozment 3281471 http://queue.acm.org/detail.cfm?id=3161600 The best way to reduce the attack surface of a piece of software is to remove any unnecessary code. Since you now have two teams demanding that you leave in the code, it's probably time to think about making two different versions of your binary. The application sounds like it's an embedded system, so I'll guess that it's written in C and take it from there. Security Tue, 14 Nov 2017 11:54:20 GMT George Neville-Neil 3161600 http://queue.acm.org/detail.cfm?id=3136559 We've seen repeatedly that ideas in the research literature can be gradually forgotten or lie unappreciated, especially if they are ahead of their time, even in popular areas of research. Both practitioners and academics would do well to revisit old ideas to glean insights for present systems. Bitcoin was unusual and successful not because it was on the cutting edge of research on any of its components, but because it combined old ideas from many previously unrelated fields. This is not easy to do, as it requires bridging disparate terminology, assumptions, etc., but it is a valuable blueprint for innovation. Security Tue, 29 Aug 2017 15:56:56 GMT Arvind Narayanan, Jeremy Clark 3136559 http://queue.acm.org/detail.cfm?id=3121440 It is true that many security-focused engineers can sound like Chicken Little, running around announcing that the sky is falling, but, unless you've been living under a rock, you will notice that, indeed, the sky IS falling. Not a day goes by without a significant attack against networked systems making the news, and the Internet of Terror is leading the charge in taking distributed systems down the road to hell - a road that you wish to pave with your good intentions. Security Thu, 06 Jul 2017 16:15:32 GMT George Neville-Neil 3121440 http://queue.acm.org/detail.cfm?id=2697395 Every day seems to bring news of another dramatic and high-profile security incident, whether it is the discovery of longstanding vulnerabilities in widely used software such as OpenSSL or Bash, or celebrity photographs stolen and publicized. There seems to be an infinite supply of zero-day vulnerabilities and powerful state-sponsored attackers. In the face of such threats, is it even worth trying to protect your systems and data? What can systems security designers and administrators do? Security Wed, 10 Dec 2014 22:35:01 GMT Geetanjali Sampemane 2697395 http://queue.acm.org/detail.cfm?id=2636165 The world runs on free and open-source software, FOSS for short, and to some degree it has predictably infiltrated just about any software-based product anywhere in the world. Security Thu, 19 Jun 2014 15:23:37 GMT Poul-Henning Kamp 2636165 http://queue.acm.org/detail.cfm?id=2630691 In his novel The Diamond Age, author Neal Stephenson describes a constructed society (called a phyle) based on extreme trust in one's fellow members. Part of the membership requirements is that, from time to time, each member is called upon to undertake certain tasks to reinforce that trust. For example, a phyle member might be told to go to a particular location at the top of a cliff at a specific time, where he will find bungee cords with ankle harnesses attached. The other ends of the cords trail off into the bushes. At the appointed time he is to fasten the harnesses to his ankles and jump off the cliff. He has to trust that the unseen fellow phyle member who was assigned the job of securing the other end of the bungee to a stout tree actually did his job; otherwise, he will plummet to his death. A third member secretly watches to make sure the first two don't communicate in any way, relying only on trust to keep tragedy at bay. Whom you trust, what you trust them with, and how much you trust them are at the center of the Internet today, as well as every other aspect of your technological life. Security Fri, 30 May 2014 16:14:17 GMT Thomas Wadlow 2630691