Victor will present in this introductory talk his past work on informed consent in the
IoT, and his research perspectives for the CyberSecIT project.
The first part of his presentation will summarize his PhD work, including a short
video demonstration.
The second part will introduce his interdisciplinary experience within the Sustainable
Computing Lab in Vienna on the standardization of consent in the IoT.
Finally, the third part will expose his research perspectives for the CyberSecIT
project with the iSec group at Chalmers.
Marit will explain various difficulties of enforcing Art. 25 GDPR from the perspective of a supervisory authority. She
will compare the deficiencies in this area with the situation of implementing "security-by-design" approaches. Also,
current trends stemming from technology design and from recent court decisions will be discussed concerning their
relevance for compliance with data protection requirements. To achieve built-in data protection, Marit will present
her "wish list" that addresses stakeholders such as researchers, developers, academic teachers, data protection
officers, lawyers and the data protection authorities themselves.
In this talk we will look at the protocol that allows two parties
who know their locations on a Euclidean plane to check whether they
are within distance R of each other or not. A distinguishing feature
of this protocol is that it does not require the parties to
communicate with each other directly and be online at the same
time. We introduce a pair of servers to which one client may submit
their data and go offline with the other client coming online later,
finishing the protocol and fetching the matching result.
We build the protocols by combining existing off-the-shelf
Cryptographic techniques. Interestingly, the protocol has better
parameters (w.r.t. performance and security) than some of the
hand-crafted protocols. So the importance of our protocol is in
showing what can be achieved in this field “for free” using the
generic techniques, and setting the bar for anyone who tries to make
a “smarter” protocol for this problem in the future.
During the talk we will have an intro to how Multi-Party Computation
protocols work, then show how our CatNap is built from them, and
finally discuss the practical implications of this work.
TypeScript is a typed version of JavaScript widely used across
Amazon, but poses challenges for static analysis: The language
supports many intricate features used in practice, such as callbacks
and higher-order functions, dynamic field access, and asynchronous
code. At the same time, the size of industrial code bases such as
the Prime Video application makes a highly precise whole-program
analysis intractable. In this talk, we present how we approach this
trade-off in Prime Video with a lightweight whole-program analysis
followed by a more precise goal-directed analysis of potential bug
locations. Our goal-directed analysis uses an imprecise call graph
and points-to information generated upfront to guide a more
expensive goal-directed analysis that attempts to prove that
potential bugs cannot happen via abstract interpretation backed by
an SMT solver.
This talk will be about ongoing work on developing new program
synthesis techniques. One of the applications is to find programs
that break type soundness, given a type system and a semantics. I
will show that some [challenges of the
IFC](https://ifc-challenge.appspot.com/) can be solved automatically
in this way.
We present our work on the suitability of the metaphors for aiding
informed decisions of data subjects on sharing their data with
differential privacy (DP) systems and discuss open research
challenges.
HTTPS is a cornerstone of privacy in the modern Web. The public key
infrastructure underlying HTTPS, however, is a frequent target of
attacks. We introduce LogPicker, a novel protocol for strengthening
the public key infrastructure of HTTPS. LogPicker enables a pool of
Certificate Transparency (CT) logs to collaborate, where a randomly
selected log includes the certificate while the rest witness and
testify the certificate issuance process. As a result, CT logs
become capable of auditing the log in charge independently without
the need for a trusted third party.
Computer systems have evolved beyond classical notions of personal
computers, servers and even smartphones. They are distributed,
embedded, capable of learning and can modify our perception of the
physical world. Securing such systems requires an end-to-end
perspective. I will demonstrate the utility of this perspective by
discussing my recent results on: (1) building least-privilege
distributed systems with applications to the Internet of Things; and
(2) establishing threat models for systems that learn.
Traffic analysis for instant messaging (IM) applications continues to pose an important privacy challenge. In particular, transport-level data can leak unintentional information about IM – such as who communicates with whom. Existing tools for metadata privacy have adoption obstacles, including the risks of being scrutinized for having a particular app installed, and performance overheads incompatible with mobile devices.
Common verification procedures for digital signatures return a
decision (accept/reject) only at the very end of the execution. If
interrupted prematurely, however, the verification process cannot
infer any meaningful information about the validity of the given
signature. This limitation is due to the algorithm design solely,
and it is not inherit to signature verification. In this talk, I
will present a formal framework to handle interruptions during
signature verification and a generic way to devise alternative
verification procedures that progressively build confidence on the
final decision. Our transformation applies to a wide range of
post-quantum secure schemes including the NIST finalist Rainbow.