The 2019 IEEE Conference on Dependable and Secure Computing

Hangzhou • China | 18-20 November, 2019

Overview

Date Time Content
Nov. 18 8:50-9:00 am Opening
9:00-10:00 am Keynote 1: Long road towards secure and usable password authentication
Lecturer: Prof. Robert Deng
10:00-10:20 am Group photo & Tea break
10:20-11:50 am Paper session 1: Network security and intrusion detection
11:50-1:30 pm Lunch break
1:30-3:20 pm Paper session 2: Applied cryptography
3:20-3:40 pm Tea break
3:40-5:30 pm Paper session 3: Machine learning and security
6:00-8:00 pm Reception
Nov. 19
9:00-10:00 am Tutorial: The Game of Spear and Shield in Enterprise Networks
Lecturer: Prof. Shiuhpyng Winston Shieh
10:00-10:20 am Tea break
10:20-11:50 am Paper session 4: Encrypted databases and search
11:50-1:30 pm Lunch break
1:30-3:20 pm Paper session 5: Hardware security and reliability
3:20-3:40 pm Tea break
3:40-5:30 pm Paper session 6: Cryptocurrencies and blockchain technologies
5:30-6:00 pm Practice track session: SGX and its application
6:00-8:00 pm Banquet
Nov. 20
9:00-10:00 am Keynote 3: HardFails: On Software-Exploitable Hardware Bugs
Lecturer: Prof. Ahmad-Reza Sadeghi
10:00-10:20 am Tea break
10:20-12:10 am Paper session 7: Other topics on dependable and secure computing

Keynote Talks

Long road towards secure and usable password authentication
Prof. Robert Deng

Abstract: User authentication is the first line of defence in information security and password has been the most pervasive means for user authentication since the advent of computers. However, the use of password has intrinsic problems. In particular, password leakage (due to eavesdropping, phishing, shoulder-surfing or key logging) has been the source of numerous cyber attacks. In this talk, we will look at some of the recent efforts towards secure and usable password authentication, from automatically detecting implementation flaws from password authentication codes in Android apps, systematically analyzing the inherent trade-off between security and usability in leakage-resilient password systems, to the design of low-cost 2FA in order to enhancing the security of password authentication.

Bio: Robert Deng is AXA Chair Professor of Cybersecurity and Director of the Secure Mobile Centre, School of Information Systems, Singapore Management University (SMU). His research interests are in the areas of data security and privacy, network security, and system security. He received the Outstanding University Researcher Award from National University of Singapore, Lee Kuan Yew Fellowship for Research Excellence from SMU, and Asia-Pacific Information Security Leadership Achievements Community Service Star from International Information Systems Security Certification Consortium. He serves/served on many editorial boards and conference committees. These include the editorial boards of IEEE Security & Privacy Magazine, IEEE Transactions on Dependable and Secure Computing, IEEE Transactions on Information Forensics and Security, Journal of Computer Science and Technology, and Steering Committee Chair of the ACM Asia Conference on Computer and Communications Security. He is a Fellow of IEEE and Fellow of Academy of Engineering Singapore.


HardFails: On Software-Exploitable Hardware Bugs
Prof. Ahmad-Reza Sadeghi

Abstract: Modern computing platforms are becoming more complex, and thus more prone to new bugs. An emerging class of sophisticated attacks exploit cross-layer bugs, originating deep in the hardware, that leverage subtle interactions between software and hardware. This growing threat has been recently shown through a series of real-world exploits that affected all major hardware vendors. Patching hardware bugs is not always possible, and can potentially result in a product recall.

In this talk we take a deep dive into the security of modern processors’ design and implementation from a hardware designer’s perspective: we showcase how different software-exploitable hardware bugs, undetected by current hardware security verification techniques, can be exploited to mount critical attacks. Inspired by real-world vulnerabilities and insights from our collaborators at Intel, we constructed the first representative testbed of real-world software-exploitable RTL bugs based on open-source RISC-V SoCs. We conducted two extensive case studies for finding the implanted bugs: (i) an international hardware security competition, and (ii) an analysis of the effectiveness of the state-of-the-art hardware security verification typically used in industry.

We discuss the results of our case studies and investigations. We shed light on the specific limitations of these approaches to propel future research in these directions and in the open-source hardware landscape.

Bio: Ahmad-Reza Sadeghi is a professor of Computer Science at the TU Darmstadt, Germany. He is the head of the Systems Security Lab at the Cybersecurity Research Center of TU Darmstadt. He is also the director of the Intel Research Institute for Collaborative Autonomous Resilient Systems (ICRI-CARS) at TU Darmstadt. He holds a Ph.D. in Computer Science from the University of Saarland, Germany. Prior to academia, he worked in R&D of Telecommunications enterprises, amongst others Ericsson Telecommunications.

He has been continuously contributing to security and privacy research. He was Editor-In-Chief of IEEE Security and Privacy Magazine, served 5 years on the editorial board of the ACM Transactions on Information and System Security (TISSEC), and is currently on the editorial boards of ACM Books, ACM TODAES, ACM TIOT and ACM DTRAP.

For his influential research on Trusted and Trustworthy Computing he received the renowned German “Karl Heinz Beckurts” award. This award honors excellent scientific achievements with high impact on industrial innovations in Germany. In 2018 Prof. Sadeghi received the ACM SIGSAC Outstanding Contributions Award for dedicated research, education, and management leadership in the security community and for pioneering contributions in content protection, mobile security and hardware-assisted security. SIGSAC is ACM’s Special Interest Group on Security, Audit and Control.


Tutorial

The Game of Spear and Shield in Enterprise Networks
Prof. Shiuhpyng Winston Shieh

Abstract: With fast growth of IoT technology, ubiquitous devices and services significantly increase the complexity of cybersecurity management of enterprise networks. These devices bring not only convenience but also new security threats. In an enterprise network, thousands of devices may be connected and exposed to various cyber threats. The enterprise attack surface includes all the ways in which an adversary can attack an enterprise. Tens of thousands of new CVEs (Common Vulnerabilities and Exposures) were found each year but their patches often lag far behind. This large number of zero-day vulnerabilities along with many other attack methods, such as phishing, mutated malware, system misconfigurations, social engineering, insider threats, can significantly increase the risk of an enterprise. As agreed by many security experts, given enough time and effort, anything can be breached. The game of spear and shield does not seem to have an end, at least not at any time sooner. Conventional perimeter defensive mechanisms can be evaded and cannot be administered manually due to their complexity. To cope with the problems, new solutions are desirable to enable management of the complex and heterogenous enterprise networks. In this talk, we introduce the challenges and opportunities of offensive and defense techniques for an enterprise network. Case studies for offensive techniques, such as vulnerability assessment and penetration testing, against enterprise networks will be given. These offensive methods can complement, not replace, defensive mechanisms in the life cycle of system development for security assurance. On the other hand, fractured point solutions leave enterprises exposed and limit economies of scale. According to recent security service providers’ reports, it may in many cases take months or sometimes years to discover devices being infected in an enterprise. This motivates the need of comprehensive defense strategies and measures for holistic improvement. It is important for an enterprise to have a comprehensive, systematic, and near real-time view into their threat level and breach risk along with specific prioritized insights and integrations to enable them to escalate their cybersecurity posture. With real-time visibility and measures, a cyber-resilient enterprise network can be built and effectively controlled in line with the enterprise’s core values to maximize the effectiveness of investment.

Bio: Shieh received his M.S. and Ph.D. degrees in electrical and computer engineering from the University of Maryland, College Park, respectively. Shieh is currently a University Chair Professor of National Chiao Tung University (NCTU), and adjunct Chair Professor of Chung Yuan Christian University. He has served as the advisor to the National Security Council of Taiwan, the chair of Computer Science Department, NCTU, and President of Chinese Cryptology and Information Security Association (CCISA). Being actively involved in IEEE, he has served as EIC of IEEE Reliability, RS Newsletter, Reliability Society VP Tech, Fellow Evaluation Committee Chair, Editor of IEEE Trans. on Reliability, IEEE Trans. on Dependable and Secure Computing, and founding STC Chair of IEEE Conference on Dependable and Secure Computing. In ACM, he has also served as ACM SIGSAC Awards Committee member, Associate Editor of ACM Trans on Information and System Security, and founding STC and TPC chairs of ACM Symposium on Information, Computer and Communications Security (ASIACCS) . Along with Virgil Gligor of Carnegie Mellon University, he invented the first US patent in intrusion detection, and has published 200 technical papers, patents, and books. Being well recognized in the network security field, Shieh received many awards, e.g., IEEE Reliability Society Engineer of the Year Award, Taiwan’s Ministry of Science and Technology Outstanding Research Award, He is an IEEE Fellow, and ACM Distinguished Scientist. His research interests include intrusion detection, penetration test, user behavior analytics, and malware behavior analysis. Contact him at ssp@cs.nctu.edu.tw.


Full Program

Session 1: Network security and intrusion detection (10:20—11:50 am, Nov. 18)
  1. Examining the Robustness of Learning-Based DDoS Detection in Software Defined Networks
    Ahmed Abusnaina, Aminollah Khormali, Daehun Nyang, Murat Yuksel, and Aziz Mohaisen
  2. DT-Track: Using DNS-Timing Side Channel for Mobile User Tracking
    Chun-Han Lin, Shan-Hsin Lee, Hsiu-Chuan Huang, Chi-Wei Wang, Chia-Wei Hsu, and ShiuhPyng Shieh
  3. Randomized Positioning DSSS with Message Shuffling for Anti-Jamming Wireless Communications
    Ahmad Alagil, and Yao Liu
  4. Honor Among Thieves: Towards Understanding the Dynamics and Interdependencies in IoT Botnets
    Jinchun Choi, Ahmed Abusnaina, Afsah Anwar, An Wang, Songqing Chen, Daehun Nyang, and Aziz Mohaisen
Session 2: Applied cryptography (1:30—3:20 pm, Nov. 18)
  1. FNeural Cryptanalysis: Metrics, Methodology, and Applications in CPS Ciphers
    Ya Xiao, Qingying Hao, and Danfeng (Daphne) Yao
  2. A Blind Signature from Module Lattices
    Huy Quoc Le, Willy Susilo, Xuan Khuc Thanh, Viet Nam; Minh Kim Bui, and Dung Hoang Duong
  3. Random Delay Attack and its Applications on Load Frequency Control of Power Systems
    Yongdong Wu, Jian Weng, Bo Qiu, Zhuo Wei, and Fan Qian
  4. E2E Verifiable Electronic Voting System for Shareholders
    Samiran Bag, and Feng Hao
  5. Secure Outsourcing Algorithm for Bilinear Pairings Without Pre-computation
    Le Tong, Jia Yu, and Hanlin Zhang
Session 3: Machine learning and security (3:40—5:30 pm, Nov. 18)
  1. An optimized positive-unlabeled learning method for detecting a large scale of malware variants
    Jixin Zhang, Mohammad Khan, Xiaodong Lin, and Zheng Qin
  2. Gaussian Process Learning for Distributed Sensor Networks Under False Data Injection Attacks
    Xiuming Liu, and Edith Ngai
  3. Federated-Cloud Based Deep Neural Networks with Privacy Preserving Image Filtering Techniques
    Isabelle Choi, Qiyang Song and Kun Sun
  4. Deep-BIF: Blind image forensics based on deep learning
    Baole Wei, Min Yu, Kai Chen and Jianguo Jiang
  5. Multi-Level Proactive Security Auditing for Clouds
    Suryadipta Majumdar, Azadeh Tabiban, Meisam Mohammady, Alaa Oqaily, Yosr Jarraya, Makan Pourzandi, Lingyu Wang and Mourad Debbabi
Session 4: Encrypted databases and search (10:20—11:50 am, Nov. 19)
  1. Securing Relational Database Storage with Attribute Association Aware Shuffling
    Tieming Geng, Hatim Alsuwat, Chin-Tser Huang, and Csilla Farkas
  2. Lightweight Attribute-based Keyword Search with Policy Protection for Cloud-assisted IoT
    Jianfei Sun, Hu Xiong, Robert H. Deng, Yinghui Zhang, Ximeng Liu, and Mingsheng Cao
  3. Secure Boolean Queries over Encrypted Data from Indistinguishability Obfuscation
    Jing Yao, Helei Cui, and Xiaolin Gui
  4. Correlation-based search against friendly jamming data exchange schemes
    Jingyi ZHANG, Qiao HU, and Gerhard Petrus HANCKE
Session 5: Hardware security and reliability (1:30—3:20 pm, Nov. 19)
  1. Proof of Encryption: Enforcement of Security Service Level Agreement for Encryption
    Sultan Alasmari, Weichao Wang, Tuanfa Qin, and Yu Wang
  2. MicroGuard: Securing Bare-Metal Microcontrollers against Code-Reuse Attacks
    Majid Salehi, Danny Hughes and Bruno Crispo. MicroGuard
  3. Persistent Fault Injection in FPGA via BRAM Modification
    Yiran Zhang, Fan Zhang, Bolin Yang, Guorui Xu, Bin Shao, Xinjie Zhao and Kui Ren
  4. Defeating Speculative-Execution Attacks on SGX with HyperRace
    Guoxing Chen, Mengyuan Li, Fengwei Zhang and Yinqian Zhang
  5. Exploiting Mallows Distance to Quantify EEG Distribution for Personal Identification
    Baicheng Chen, Kun Woo Cho, Chenhan Xu, Feng Lin, Zhanpeng Jin and Wenyao Xu
Session 6: Cryptocurrencies and blockchain technologies (3:40—5:30 pm, Nov. 19)
  1. Towards A Ledger-assisted Architecture for Secure Query Processing over Distributed IoT Data
    Xingliang Yuan, Chengjun Cai, Qian Wang, and Qi Li
  2. BanFel: A blockchain based smart contract for fair and efficient lottery scheme
    Jiasheng Li, Zijian Zhang, and Meng Li
  3. Super Payment Channel for Decentralized Cryptocurrencies
    Shengmin Xu, Jiaming Yuan, Yingjiu Li, Ximeng Liu, and Yinghui Zhang
  4. SoK: A Systematic Study of Anonymity in the Cryptocurrencies
    Nasser Alsalami, and Bingsheng Zhang
  5. Utilizing Public Blockchains for Censorship-Circumvention and IoT Communication
    Nasser Alsalami, and Bingsheng Zhang
Session 7: Other topics on dependable and secure computing (10:20—12:10 am, Nov. 20)
  1. Traceable Private Set Intersection in Cloud Computing
    Tao Jiang and Xu Yuan
  2. Towards the Trust-Enhancements of Single Sign-On Services
    Xuhua Bao, Xiaokun Zhang, Jingqiang Lin, Dawei Chu, Qiongxiao Wang and Fengjun Li
  3. Securely Perturb Big Data by Using Inner Product
    Mingli Wu and Tsz Hon Yuen
  4. Fidelity: A Property of Deep Neural Networks to Measure the Trustworthiness of Results
    Ziqi Yang
  5. Broken Relationship of Mobile User Intentions and Permission Control of Shared System Resources
    Hao Wu, Zheng Qin, Xuejin Tian, Edward Sun, Fengyuan Xu and Sheng Zhong

Accepted Papers
Main Track: Computer Systems, Networks, and Software/Hardware

  1. Securing Relational Database Storage with Attribute Association Aware Shuffling
    Tieming Geng, Hatim Alsuwat, Chin-Tser Huang and Csilla Farkas
  2. Towards A Ledger-assisted Architecture for Secure Query Processing over Distributed IoT Data
    Xingliang Yuan, Chengjun Cai, Qian Wang and Qi Li
  3. Examining the Robustness of Learning-Based DDoS Detection in Software Defined Networks
    Aminollah Khormali, Ahmed Abusnaina, Daehun Nyang, Murat Yuksel and Aziz Mohaisen
  4. Lightweight Attribute-based Keyword Search with Policy Protection for Cloud-assisted IoT
    Jianfei Sun, Robert H. Deng, Hu Xiong, Yinghui Zhang, Ximeng Liu and Mingsheng Cao
  5. MicroGuard: Securing Bare-Metal Microcontrollers against Code-Reuse Attacks
    Majid Salehi, Danny Hughes and Bruno Crispo. MicroGuard
  6. Honor Among Thieves: Towards Understanding the Dynamics and Interdependencies in IoT Botnets
    Jinchun Choi, Ahmed Abusnaina, Afsah Anwar, An Wang, Songqing Chen, Daehun Nyang and Aziz Mohaisen
  7. Secure Boolean Queries over Encrypted Data from Indistinguishability Obfuscation
    Jing Yao, Helei Cui and Xiaolin Gui
  8. BanFel: A blockchain based smart contract for fair and efficient lottery scheme
    Jiasheng Li, Zijian Zhang and Meng Li
  9. Fidelity: A Property of Deep Neural Networks to Measure the Trustworthiness of Results
    Ziqi Yang
  10. DT-Track: Using DNS-Timing Side Channel for Mobile User Tracking
    Chun-Han Lin, Shan-Hsin Lee, Hsiu-Chuan Huang, Chi-Wei Wang, Chia-Wei Hsu and Shiuhpyng Shieh
  11. Traceable Private Set Intersection in Cloud Computing
    Tao Jiang and Xu Yuan
  12. Persistent Fault Injection in FPGA via BRAM Modification
    Yiran Zhang, Fan Zhang, Bolin Yang, Guorui Xu, Bin Shao, Xinjie Zhao and Kui Ren
  13. A Blind Signature from Module Lattices
    Huy Quoc Le, Willy Susilo, Thanh Xuan Khuc, Minh Kim Bui and Dung Hoang Duong
  14. Random Delay Attack and its Applications on Load Frequency Control of Power Systems
    Yongdong Wu, Jian Weng, Bo Qiu, Zhuo Wei, Robert H. Deng and Yongdong Wu
  15. Towards the Trust-Enhancements of Single Sign-On Services
    Xuhua Bao, Xiaokun Zhang, Jingqiang Lin, Dawei Chu, Qiongxiao Wang and Fengjun Li
  16. E2E Verifiable Electronic Voting System for Shareholders
    Samiran Bag and Feng Hao
  17. Randomized Positioning DSSS with Message Shuffling for Anti-Jamming Wireless Communications
    Ahmad Alagil and Yao Liu
  18. Secure Outsourcing Algorithm for Bilinear Pairings Without Pre-computation
    Le Tong, Jia Yu and Hanlin Zhang
  19. Correlation-based search against friendly jamming data exchange schemes
    Jingyi Zhang, Qiao Hu and Gerhard Petrus Hancke
  20. Super Payment Channel for Decentralized Cryptocurrencies
    Shengmin Xu, Jiaming Yuan, Yingjiu Li, Ximeng Liu and Yinghui Zhang
  21. Defeating Speculative-Execution Attacks on SGX with HyperRace
    Guoxing Chen, Mengyuan Li, Fengwei Zhang and Yinqian Zhang
  22. SoK: A Systematic Study of Anonymity in the Cryptocurrencies
    Nasser Alsalami and Bingsheng Zhang
  23. Securely Perturb Big Data by Using Inner Product
    Mingli Wu and Tsz Hon Yuen
  24. An optimized positive-unlabeled learning method for detecting a large scale of malware variants
    Jixin Zhang, Mohammad Khan, Xiaodong Lin and Zheng Qin
  25. Gaussian Process Learning for Distributed Sensor Networks Under False Data Injection Attacks
    Xiuming Liu and Edith Ngai
  26. Utilizing Public Blockchains for Censorship-Circumvention and IoT Communication
    Nasser Alsalami and Bingsheng Zhang
  27. Neural Cryptanalysis: Metrics, Methodology, and Applications in CPS Ciphers
    Ya Xiao, Qingying Hao and Danfeng Yao
  28. Proof of Encryption: Enforcement of Security Service Level Agreement for Encryption
    Sultan Alasmari, Weichao Wang, Tuanfa Qin and Yu Wang
  29. Multi-Level Proactive Security Auditing for Clouds
    Suryadipta Majumdar, Azadeh Tabiban, Meisam Mohammady, Alaa Oqaily, Yosr Jarraya, Makan Pourzandi, Lingyu Wang and Mourad Debbabi
  30. Federated-Cloud Based Deep Neural Networks with Privacy Preserving Image Filtering Techniques
    Isabelle Choi, Qiyang Song and Kun Sun
  31. Exploiting Mallows Distance to Quantify EEG Distribution for Personal Identification
    Baicheng Chen, Kun Woo Cho, Chenhan Xu, Feng Lin, Zhanpeng Jin and Wenyao Xu
  32. Deep-BIF: Blind image forensics based on deep learning
    Baole Wei, Min Yu, Kai Chen and Jianguo Jiang
  33. Broken Relationship of Mobile User Intentions and Permission Control of Shared System Resources
    Hao Wu, Zheng Qin, Xuejin Tian, Edward Sun, Fengyuan Xu and Sheng Zhong

© 2019 IEEE Conference on Dependable and Secure Computing