Papers Submitted for the Best Paper Award

Papers Submitted:

ID Title Bibliographic Details Impact Statement View Paper Change Paper Details
1 Reconciling User Privacy and Implicit Authentication for Mobile Devices Siamak F. Shahandashti, Reihaneh Safavi-Naini, and Nashad Ahmed Safa. “Reconciling User Privacy and Implicit Authentication for Mobile Devices”. In Computers & Security 53: 215–233, Elsevier, 2015. Implicit authentication (IA) is to continuously authenticate a user in the background by comparing their current usage pattern with their usual usage pattern. Although IA sounds impossible to achieve without the authenticating server “knowing” the user behaviour history, in this paper we design the first IA protocol in which only an encrypted version of user behaviour history is stored at the server side and hence user privacy is preserved. The conference version of the paper (published 2014, cited 5 times) has been cited as the first work looking at this research problem, and inspired new solutions by other researchers. View Paper Change Paper Details
2 On Structuring Holistic Fault Tolerance Rem Gensh, Alexander Romanovsky, Alex Yakovlev, Modularity 2016, accepted on 11 Dec 2015 We present a novel approach relating to the design of fault tolerance for the system. The given approach assumes that system’s fault tolerance is coordinated by the special holistic fault tolerance (HFT) component. HFT component has an access to all critical components of the system providing convenient way to structure fault tolerance and to make system-wide decisions about applying the error detection and error recovery. Two main contributions of the approach are: 1) Facilitation of the design and maintainability of fault tolerance mechanisms. 2) Improvement of the overall system efficiency in terms of resource utilisation. View Paper Change Paper Details
3 Tap-Tap and Pay (TTP): Preventing the Mafia Attack in NFC Payment Maryam Mehrnezhad, Feng Hao, Siamak F Shahandashti, Security Standardisation Research 2015, Tokyo, Japan Mobile NFC payment is already a popular technology among people. The Mafia attack presents a realistic threat to payment systems and yet remained unsolved by the industry. We present “Tap-Tap and Pay”(TTP), to effectively prevent this attack. In TTP, a user initiates an NFC payment by physically tapping her mobile against the reader. The physical tapping causes transient vibrations, which can be measured by the embedded accelerometers. By comparing the similarity between the measurements, we can effectively tell apart the Mafia-fraud from a legitimate transaction. The results suggest that TTP is reliable, usable and has good potential for practical deployment. View Paper Change Paper Details
4 TouchSignatures: Identification of user touch actions and PINs based on mobile sensor data via JavaScript M. Mehrnezhad, E. Toreini, F. Hao, S. Shahandashti, Journal of information security and applications 26 (2016) 23–38 Conforming to W3C specifications, mobile web browsers allow JavaScript code to access motion and orientation sensor data without the user’s permission. Here, for the first time, we show how user security can be compromised using these sensor data via browser. We examine popular browsers on Android and iOS and identify multiple vulnerabilities. We propose TouchSignatures which is able to distinguish the user’s touch actions (tap,scroll,hold,and zoom) and her PINs by listening to such sensor data with high accuracy. The W3C community and major mobile browser vendors(Mozilla,Google,Apple and Opera) have acknowledged our work and are implementing some of our proposed countermeasures. View Paper Change Paper Details
5 EXE-SPEM: Towards Cloud-Based Executable Software Process Models Sami Alajrami, Barbara Gallina, Alexander Romanovsky. 4th International Conference on Model-Driven Engineering and Software Development. Accepted 26/11/2015. This paper discusses the potentials and concerns of cloud-based software processes. It serves as a first step towards model-driven software engineering in the "Post-PC" era by introducing EXE-SPEM which is an extension of a subset of the Software and Systems Process Engineering Meta-model. EXE-SPEM supports modelling executable processes that can be enacted in the cloud. These processes can incorporate tools on the fly and teams from different locations. They also can be executed on multiple clouds. EXE-SPEM paves the way for software processes to move to the cloud and utilise its virtues. View Paper Change Paper Details
6 Refund attacks on Bitcoin’s Payment Protocol Patrick McCorry, Siamak F. Shahandashti, Feng Hao, Financial Cryptography and Data Security '16 BIP70 is a community-accepted Payment Protocol standard that governs how merchants and customers perform payments in Bitcoin. It is supported by most major wallets and the two dominant Payment Processors: Coinbase and BitPay, who provide Bitcoin as a form of payment to more than 100,000 merchants. We present new attacks on the Payment Protocol standard, which affect all BIP70 merchants. Both attacks have been experimentally verified and acknowledged by BitPay/Coinbase with temporary mitigation measures put in place. To fully address the identified issues, we propose a revision to BIP70 which should be implemented by all Bitcoin wallets. View Paper Change Paper Details
7 Proactive Security Analysis of Changes in Virtualized Infrastructures Sören Bleikertz, Carsten Vogel, Thomas Groß, and Sebastian Mödersheim. Proactive security analysis of changes in virtualized infrastructures. In Proceedings of the 31st Annual Computer Security Applications Conference, pp. 51-60. ACM Press, 2015. The paper is the first to model and analyze the properties of dynamically changing systems as well as possible operations of administrators in a graph calculus. Thereby, it makes it possible to predict the security impact of operations in a mechanized analysis, before they are committed to the system. The research primarily impacts cloud security assurance offering a new way to prevent misconfigurations that would make the system insecure. It impacts several EU projects and stands to impact IBM security products such as IBM PowerSC Trusted Surveyor and high-security cloud deployments, at first. The method generalizes to arbitrary evolving systems. View Paper Change Paper Details

Submit a paper