Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Lecture Notes in Computer Science 12308
Founding Editors
Gerhard GoosKarlsruhe Institute of Technology, Karlsruhe, Germany
Juris HartmanisCornell University, Ithaca, NY, USA
Editorial Board Members
Elisa BertinoPurdue University, West Lafayette, IN, USA
Wen GaoPeking University, Beijing, China
Bernhard SteffenTU Dortmund University, Dortmund, Germany
Gerhard WoegingerRWTH Aachen, Aachen, Germany
Moti YungColumbia University, New York, NY, USA
More information about this series at http://www.springer.com/series/7410
Liqun Chen • Ninghui Li •
Kaitai Liang • Steve Schneider (Eds.)
Computer Security –
ESORICS 202025th European Symposiumon Research in Computer Security, ESORICS 2020Guildford, UK, September 14–18, 2020Proceedings, Part I
123
EditorsLiqun ChenUniversity of SurreyGuildford, UK
Ninghui LiPurdue UniversityWest Lafayette, IN, USA
Kaitai LiangDelft University of TechnologyDelft, The Netherlands
Steve SchneiderUniversity of SurreyGuildford, UK
ISSN 0302-9743 ISSN 1611-3349 (electronic)Lecture Notes in Computer ScienceISBN 978-3-030-58950-9 ISBN 978-3-030-58951-6 (eBook)https://doi.org/10.1007/978-3-030-58951-6
LNCS Sublibrary: SL4 – Security and Cryptology
© Springer Nature Switzerland AG 2020This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of thematerial is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,broadcasting, reproduction on microfilms or in any other physical way, and transmission or informationstorage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology nowknown or hereafter developed.The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoes not imply, even in the absence of a specific statement, that such names are exempt from the relevantprotective laws and regulations and therefore free for general use.The publisher, the authors and the editors are safe to assume that the advice and information in this book arebelieved to be true and accurate at the date of publication. Neither the publisher nor the authors or the editorsgive a warranty, expressed or implied, with respect to the material contained herein or for any errors oromissions that may have been made. The publisher remains neutral with regard to jurisdictional claims inpublished maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Switzerland AGThe registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
The two volume set, LNCS 12308 and 12309, contain the papers that were selected forpresentation and publication at the 25th European Symposium on Research in Com-puter Security (ESORICS 2020) which was held together with affiliated workshopsduring the week September 14–18, 2020. Due to the global COVID-19 pandemic, theconference and workshops ran virtually, hosted by the University of Surrey, UK. Theaim of ESORICS is to further research in computer security and privacy by establishinga European forum, bringing together researchers in these areas by promoting theexchange of ideas with system developers and by encouraging links with researchers inrelated fields.
In response to the call for papers, 366 papers were submitted to the conference.These papers were evaluated on the basis of their significance, novelty, and technicalquality. Except for a very small number of papers, each paper was carefully evaluatedby three to five referees and then discussed among the Program Committee. The paperswere reviewed in a single-blind manner. Finally, 72 papers were selected for presen-tation at the conference, yielding an acceptance rate of 19.7%. We were also delightedto welcome invited talks from Aggelos Kiayias, Vadim Lyubashevsky, and RebeccaWright.
Following the reviews two papers were selected for Best Paper Awards and theyshare the 1,000 EUR prize generously provided by Springer: “Pine: Enablingprivacy-preserving deep packet inspection on TLS with rule-hiding and fast connectionestablishment” by Jianting Ning, Xinyi Huang, Geong Sen Poh, Shengmin Xu, JasonLoh, Jian Weng, and Robert H. Deng; and “Automatic generation of source lemmas inTamarin: towards automatic proofs of security protocols” by Véronique Cortier,Stéphanie Delaune, and Jannik Dreier.
The Program Committee consisted of 127 members across 25 countries. There weresubmissions from a total of 1,201 authors across 42 countries, with 24 countriesrepresented among the accepted papers.
ESORICS 2020 would not have been possible without the contributions of the manyvolunteers who freely gave their time and expertise. We would like to thank themembers of the Program Committee and the external reviewers for their substantialwork in evaluating the papers. We would also like to thank the organization/departmentchair, Helen Treharne, the workshop chair, Mark Manulis, and all of the workshopco-chairs, the poster chair, Ioana Boureanu, and the ESORICS Steering Committee. Weare also grateful to Huawei and IBM Research – Haifa, Israel for their sponsorship thatenabled us to support this online event. Finally, we would like to express our thanks tothe authors who submitted papers to ESORICS 2020. They, more than anyone else, arewhat made this conference possible.
We hope that you will find the proceedings stimulating and a source of inspirationfor future research.
September 2020 Liqun ChenNinghui Li
Kaitai LiangSteve Schneider
vi Preface
Organization
General Chair
Steve Schneider University of Surrey, UK
Program Chairs
Liqun Chen University of Surrey, UKNinghui Li Purdue University, USA
Steering Committee
Sokratis Katsikas (Chair)Michael BackesJoachim BiskupFrederic CuppensSabrina De Capitani di VimercatiDieter GollmannMirek KutylowskiJavier LopezJean-Jacques QuisquaterPeter Y. A. RyanPierangela SamaratiEinar SnekkenesMichael Waidner
Program Committee
Yousra Aafer University of Waterloo, CanadaMitsuaki Akiyama NTT, JapanCristina Alcaraz UMA, SpainFrederik Armknecht Universität Mannheim, GermanyVijay Atluri Rutgers University, USAErman Ayday Bilkent University, TurkeyAntonio Bianchi Purdue University, USAMarina Blanton University at Buffalo, USACarlo Blundo Università degli Studi di Salerno, ItalyAlvaro Cardenas The University of Texas at Dallas, USABerkay Celik Purdue University, USAAldar C-F. Chan BIS Innovation Hub Centre, Hong Kong, ChinaSze Yiu Chau Purdue University, USA
Rongmao Chen National University of Defense Technology, ChinaYu Chen Shandong University, ChinaSherman S. M. Chow The Chinese University of Hong Kong, Hong Kong,
ChinaMauro Conti University of Padua, ItalyFrédéric Cuppens Polytechnique Montreal, CanadaNora Cuppens-Boulahia Polytechnique Montréal, CanadaMarc Dacier Qatar Computing Research Institute (QCRI), QatarSabrina De Capitani di
VimercatiUniversità degli Studi di Milano, Italy
Hervé Debar Télécom SudParis, FranceStéphanie Delaune University of Rennes, CNRS, IRISA, FranceRoberto Di Pietro Hamad Bin Khalifa University, QatarTassos Dimitriou Kuwait University, KuwaitJosep Domingo-Ferrer Universitat Rovira i Virgili, SpainChangyu Dong Newcastle University, UKWenliang Du Syracuse University, ItalyHaixin Duan Tsinghua University, ChinaFrançois Dupressoir University of Bristol, UKKassem Fawaz University of Wisconsin-Madison, USAJose-Luis Ferrer-Gomila University of the Balearic Islands, SpainSara Foresti DI, Università degli Studi di Milano, ItalyDavid Galindo University of Birmingham, UKDebin Gao Singapore Management University, SingaporeJoaquin Garcia-Alfaro Télécom SudParis, FranceThanassis Giannetsos Technical University of Denmark, DenmarkDieter Gollmann Hamburg University of Technology, GermanyStefanos Gritzalis University of the Aegean, GreeceGuofei Gu Texas A&M University, USAZhongshu Gu IBM Research, USAJinguang Han Queen’s University Belfast, UKFeng Hao University of Warwick, UKJuan Hernández-Serrano Universitat Politècnica de Catalunya, SpainXinyi Huang Fujian Normal University, ChinaSyed Hussain Purdue University, USAShouling Ji Zhejiang University, ChinaGhassan Karame NEC Laboratories Europe, GermanySokratis Katsikas Norwegian University of Science and Technology,
NorwayStefan Katzenbeisser TU Darmstadt, GermanyRyan Ko The University of Queensland, AustraliaSteve Kremer Inria, FranceMarina Krotofil FireEye, USAYonghwi Kwon University of Virginia, USACostas Lambrinoudakis University of Piraeus, GreeceKyu Hyung Lee University of Georgia, USA
viii Organization
Shujun Li University of Kent, UKYingjiu Li Singapore Management University, SingaporeKaitai Liang Delft University of Technology, The NetherlandsHoon Wei Lim Trustwave, SingaporeJoseph Liu Monash University, AustraliaRongxing Lu University of New Brunswick, CanadaXiapu Luo The Hong Kong Polytechnic University, Hong Kong,
ChinaShiqing Ma Rutgers University, USALeandros Maglaras De Montfort University, UKMark Manulis University of Surrey, UKKonstantinos
MarkantonakisRoyal Holloway, University of London, UK
Fabio Martinelli IIT-CNR, ItalyIvan Martinovic University of Oxford, UKSjouke Mauw University of Luxembourg, LuxembourgCatherine Meadows NRL, USAWeizhi Meng Technical University of Denmark, DenmarkChris Mitchell Royal Holloway, University of London, UKTatsuya Mori Waseda University, JapanHaralambos Mouratidis University of Brighton, UKDavid Naccache Ecole normale supérieur, FranceSiaw-Lynn Ng Royal Holloway, University of London, UKJianting Ning Singapore Management University, SingaporeSatoshi Obana Hosei University, JapanMartín Ochoa Universidad del Rosario, ColombiaRolf Oppliger eSECURITY Technologies, SwitzerlandManos Panousis University of Greenwich, UKOlivier Pereira UCLouvain, BelgiumGünther Pernul Universität Regensburg, GermanyJoachim Posegga University of Passau, GermanyIndrajit Ray Colorado State University, USAKui Ren Zhejiang University, ChinaGiovanni Russello The University of Auckland, New ZealandMark Ryan University of Birmingham, UKReihaneh Safavi-Naini University of Calgary, CanadaBrendan Saltaformaggio Georgia Institute of Technology, USAPierangela Samarati Università degli Studi di Milano, ItalyDamien Sauveron XLIM, UMR University of Limoges, CNRS 7252,
FranceEinar Snekkenes Norwegian University of Science and Technology,
NorwayYixin Sun University of Virginia, USAWilly Susilo University of Wollongong, Australia
Organization ix
Pawel Szalachowski SUTD, SingaporeQiang Tang Luxembourg Institute of Science and Technology,
LuxembourgQiang Tang New Jersey Institute of Technology, USAJuan Tapiador Universidad Carlos III de Madrid, SpainDave Jing Tian Purdue University, USANils Ole Tippenhauer CISPA, GermanyHelen Treharne University of Surrey, UKAggeliki Tsohou Ionian University, GreeceLuca Viganò King’s College London, UKMichael Waidner Fraunhofer, GermanyCong Wang City University of Hong Kong, Hong Kong, ChinaLingyu Wang Concordia University, CanadaWeihang Wang SUNY University at Buffalo, USAEdgar Weippl SBA Research, AustriaChristos Xenakis University of Piraeus, GreeceYang Xiang Swinburne University of Technology, AustraliaGuomin Yang University of Wollongong, AustraliaKang Yang State Key Laboratory of Cryptology, ChinaXun Yi RMIT University, AustraliaYu Yu Shanghai Jiao Tong University, ChinaTsz Hon Yuen The University of Hong Kong, Hong Kong, ChinaFengwei Zhang SUSTech, ChinaKehuan Zhang The Chinese University of Hong Kong, Hong Kong,
ChinaYang Zhang CISPA Helmholtz Center for Information Security,
GermanyYuan Zhang Fudan University, ChinaZhenfeng Zhang Chinese Academy of Sciences, ChinaYunlei Zhao Fudan University, ChinaJianying Zhou Singapore University of Technology and Design,
SingaporeSencun Zhu Penn State University, USA
Workshop Chair
Mark Manulis University of Surrey, UK
Poster Chair
Ioana Boureanu University of Surrey, UK
Organization/Department Chair
Helen Treharne University of Surrey, UK
x Organization
Organizing Chair and Publicity Chair
Kaitai Liang Delft University of Technology, The Netherlands
Additional Reviewers
Abbasi, AliAbu-Salma, RubaAhlawat, AmitAhmed, Chuadhry MujeebAhmed, ShimaaAlabdulatif, AbdulatifAlhanahnah, MohannadAliyu, AliyuAlrizah, MshababAnceaume, EmmanuelleAngelogianni, AnnaAnglés-Tafalla, CarlesAparicio Navarro, Francisco JavierArgyriou, AntoniosAsadujjaman, A. S. M.Aschermann, CorneliusAsghar, Muhammad RizwanAvizheh, SepidehBaccarini, AlessandroBacis, EnricoBaek, JoonsangBai, WeihaoBamiloshin, MichaelBarenghi, AlessandroBarrère, MartínBerger, ChristianBhattacherjee, SanjayBlanco-Justicia, AlbertoBlazy, OlivierBolgouras, VaiosBountakas, PanagiotisBrandt, MarkusBursuc, SergiuBöhm, FabianCamacho, PhilippeCardaioli, MatteoCastelblanco, AlejandraCastellanos, John HenryCecconello, Stefano
Chaidos, PyrrosChakra, RanimChandrasekaran, VarunChen, HaixiaChen, LongChen, MinChen, ZhaoChen, ZhigangChengjun LinCiampi, MicheleCicala, FabrizioCostantino, GianpieroCruz, TiagoCui, ShujieDeng, YiDiamantopoulou, VasilikiDietz, MarietheresDivakaran, Dinil MonDong, NaipengDong, ShuaikeDragan, Constantin CatalinDu, MinxinDutta, SabyasachiEichhammer, PhilippEnglbrecht, LudwigEtigowni, SriharshaFarao, AristeidisFaruq, FatmaFdhila, WalidFeng, HanwenFeng, QiFentham, DanielFerreira Torres, ChristofFila, BarbaraFraser, AshleyFu, HaoGaldi, ClementeGangwal, AnkitGao, Wei
Organization xi
Gardham, DanielGarms, LydiaGe, ChunpengGe, HuangyiGeneiatakis, DimitrisGenés-Durán, RafaelGeorgiopoulou, ZafeiroulaGetahun Chekole, EyasuGhosal, AmritaGiamouridis, GeorgeGiorgi, GiacomoGuan, QingxiaoGuo, HuiGuo, KaiwenGuo, YiminGusenbauer, MathiasHaffar, RamiHahn, FlorianHan, YufeiHausmann, ChristianHe, ShuangyuHe, SonglinHe, YingHeftrig, EliasHirschi, LuccaHu, KexinHuang, QiongHurley-Smith, DarrenIadarola, GiacomoJeitner, PhilippJia, DingdingJia, YaoqiJudmayer, AljoshaKalloniatis, ChristosKantzavelou, IoannaKasinathan, PrabhakaranKasra Kermanshahi, ShabnamKasra, ShabnamKelarev, AndreiKhandpur Singh, AshneetKim, JongkilKoay, AbigailKokolakis, SpyrosKosmanos, DimitriosKourai, KenichiKoutroumpouchos, Konstantinos
Koutroumpouchos, NikolaosKoutsos, AdrienKuchta, VeronikaLabani, HasanLai, JianchangLaing, Thalia MayLakshmanan, SudershanLallemand, JosephLan, XiaoLavranou, RenaLee, JehyunLeón, OlgaLi, JieLi, JuanruLi, ShuaigangLi, WenjuanLi, XinyuLi, YannanLi, ZengpengLi, ZhengLi, ZiyiLimniotis, KonstantinosLin, ChaoLin, YanLiu, JiaLiu, JianLiu, WeiranLiu, XiaoningLiu, XueqiaoLiu, ZhenLopez, ChristianLosiouk, EleonoraLu, YuanLuo, JunweiMa, HaoyuMa, HuiMa, Jack P. K.Ma, JinhuaMa, MimiMa, XuechengMai, AlexandraMajumdar, SuryadiptaManjón, Jesús A.Marson, Giorgia AzzurraMartinez, SergioMatousek, Petr
xii Organization
Mercaldo, FrancescoMichailidou, ChristinaMitropoulos, DimitrisMohammadi, FarnazMohammady, MeisamMohammed, AmeerMoreira, JoseMuñoz, Jose L.Mykoniati, MariaNassirzadeh, BehkishNewton, ChristopherNg, Lucien K. L.Ntantogian, ChristoforosÖnen, MelekOnete, CristinaOqaily, AlaaOswald, DavidPapaioannou, ThanosParkinson, SimonPaspatis, IoannisPatsakis, ConstantinosPelosi, GerardoPfeffer, KatharinaPitropakis, NikolaosPoettering, BertramPoh, Geong SenPolato, MirkoPoostindouz, AlirezaPuchta, AlexanderPutz, BenediktPöhls, Henrich C.Qiu, TianRadomirovic, SasaRakotonirina, ItsakaRebollo Monedero, DavidRivera, EstebanRizomiliotis, PanagiotisRomán-García, FernandoSachidananda, VinaySalazar, LuisSalem, AhmedSalman, AmmarSanders, OlivierScarsbrook, JoshuaSchindler, PhilippSchlette, Daniel
Schmidt, CarstenScotti, FabioShahandashti, SiamakShahraki, Ahmad SalehiSharifian, SetarehSharma, VishalSheikhalishahi, MinaShen, SiyuShrishak, KrisSimo, HervaisSiniscalchi, LuisaSlamanig, DanielSmith, ZachSolano, JesúsSong, YongchengSong, ZiruiSoriente, ClaudioSoumelidou, KaterinaSpielvogel, KorbinianStifter, NicholasSun, MenghanSun, YiweiSun, YuanyiTabiban, AzadehTang, DiTang, GuofengTaubmann, BenjaminTengana, LizzyTian, YangguangTrujillo, RolandoTurrin, FedericoVeroni, EleniVielberth, ManfredVollmer, MarcelWang, JiafanWang, QinWang, TianhaoWang, WeiWang, WenhaoWang, YangdeWang, YiWang, YulingWang, ZiyuanWeitkämper, CharlotteWesemeyer, StephanWhitefield, Jorden
Organization xiii
Wiyaja, DimazWong, Donald P. H.Wong, Harry W. H.Wong, Jin-MannWu, ChenWu, GeWu, LeiWuest, KarlXie, GuoyangXinlei, HeXu, FenghaoXu, JiaXu, JiayunXu, KeXu, ShengminXu, YanhongXue, MinhuiYamada, ShotaYang, BohanYang, LinYang, RupengYang, S. J.Yang, WenjieYang, Xu
Yang, XuechaoYang, ZhichaoYevseyeva, IrynaYi, PingYin, LingyuanYing, JasonYu, ZuoxiaYuan, Lun-PinYuan, XingliangZhang, BingshengZhang, FanZhang, KeZhang, MengyuanZhang, YanjunZhang, ZhikunZhang, ZongyangZhao, YongjunZhong, ZhiqiangZhou, YutongZhu, FeiZiaur, RahmanZobernig, LukasZuo, Cong
xiv Organization
Keynotes
Decentralising Informationand Communications Technology:
Paradigm Shift or Cypherpunk Reverie?
Aggelos Kiayias
University of Edinburgh and IOHK, UK
Abstract. In the last decade, decentralisation emerged as a much anticipateddevelopment in the greater space of information and communications technol-ogy. Venerated by some and disparaged by others, blockchain technologybecame a familiar term, springing up in a wide array of expected and some timesunexpected contexts. With the peak of the hype behind us, in this talk I lookback, distilling what have we learned about the science and engineering ofbuilding secure and reliable systems, then I overview the present state of the artand finally I delve into the future, appraising this technology in its potential toimpact the way we design and deploy information and communications tech-nology services.
Lattices and Zero-Knowledge
Vadim Lyubashevsky
IBM Research - Zurich, Switzerland
Abstract. Building cryptography based on the presumed hardness of latticeproblems over polynomial rings is one of the most promising approaches forachieving security against quantum attackers. One of the reasons for the pop-ularity of lattice-based encryption and signatures in the ongoing NIST stan-dardization process is that they are significantly faster than all otherpost-quantum, and even many classical, schemes. This talk will discuss theprogress in constructions of more advanced lattice-based cryptographic primi-tives. In particular, I will describe recent work on zero-knowledge proofs whichleads to the most efficient post-quantum constructions for certain statements.
Accountability in Computing
Rebecca N. Wright
Barnard College, New York, USA
Abstract. Accountability is used often in describing computer-security mech-anisms that complement preventive security, but it lacks a precise, agreed-upondefinition. We argue for the need for accountability in computing in a variety ofsettings, and categorize some of the many ways in which this term is used. Weidentify a temporal spectrum onto which we may place different notions ofaccountability to facilitate their comparison, including prevention, detection,evidence, judgment, and punishment. We formalize our view in a utility-theo-retic way and then use this to reason about accountability in computing systems.We also survey mechanisms providing various senses of accountability as wellas other approaches to reasoning about accountability-related properties.This is joint work with Joan Feigenbaum and Aaron Jaggard.
Contents – Part I
Database and Web Security
Pine: Enabling Privacy-Preserving Deep Packet Inspection on TLSwith Rule-Hiding and Fast Connection Establishment . . . . . . . . . . . . . . . . . 3
Jianting Ning, Xinyi Huang, Geong Sen Poh, Shengmin Xu,Jia-Chng Loh, Jian Weng, and Robert H. Deng
Bulwark: Holistic and Verified Security Monitoring of Web Protocols . . . . . . 23Lorenzo Veronese, Stefano Calzavara, and Luca Compagna
A Practical Model for Collaborative Databases: Securely Mixing,Searching and Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Shweta Agrawal, Rachit Garg, Nishant Kumar, and Manoj Prabhakaran
System Security I
Deduplication-Friendly Watermarking for Multimedia Datain Public Clouds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Weijing You, Bo Chen, Limin Liu, and Jiwu Jing
DANTE: A Framework for Mining and Monitoring Darknet Traffic . . . . . . . 88Dvir Cohen, Yisroel Mirsky, Manuel Kamp, Tobias Martin,Yuval Elovici, Rami Puzis, and Asaf Shabtai
Efficient Quantification of Profile Matching Risk in Social Networks UsingBelief Propagation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Anisa Halimi and Erman Ayday
Network Security I
Anonymity Preserving Byzantine Vector Consensus . . . . . . . . . . . . . . . . . . 133Christian Cachin, Daniel Collins, Tyler Crain, and Vincent Gramoli
CANSentry: Securing CAN-Based Cyber-Physical Systems against Denialand Spoofing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Abdulmalik Humayed, Fengjun Li, Jingqiang Lin, and Bo Luo
Distributed Detection of APTs: Consensus vs. Clustering . . . . . . . . . . . . . . . 174Juan E. Rubio, Cristina Alcaraz, Ruben Rios, Rodrigo Roman,and Javier Lopez
Designing Reverse Firewalls for the Real World . . . . . . . . . . . . . . . . . . . . . 193Angèle Bossuat, Xavier Bultel, Pierre-Alain Fouque, Cristina Onete,and Thyla van der Merwe
Software Security
Follow the Blue Bird: A Study on Threat Data Published on Twitter . . . . . . . 217Fernando Alves, Ambrose Andongabo, Ilir Gashi, Pedro M. Ferreira,and Alysson Bessani
Dynamic and Secure Memory Transformation in Userspace . . . . . . . . . . . . . 237Robert Lyerly, Xiaoguang Wang, and Binoy Ravindran
Understanding the Security Risks of Docker Hub . . . . . . . . . . . . . . . . . . . . 257Peiyu Liu, Shouling Ji, Lirong Fu, Kangjie Lu, Xuhong Zhang,Wei-Han Lee, Tao Lu, Wenzhi Chen, and Raheem Beyah
DE-auth of the Blue! Transparent De-authentication Using BluetoothLow Energy Beacon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Mauro Conti, Pier Paolo Tricomi, and Gene Tsudik
Similarity of Binaries Across Optimization Levels and Obfuscation . . . . . . . . 295Jianguo Jiang, Gengwang Li, Min Yu, Gang Li, Chao Liu, Zhiqiang Lv,Bin Lv, and Weiqing Huang
HART: Hardware-Assisted Kernel Module Tracing on Arm . . . . . . . . . . . . . 316Yunlan Du, Zhenyu Ning, Jun Xu, Zhilong Wang, Yueh-Hsun Lin,Fengwei Zhang, Xinyu Xing, and Bing Mao
Zipper Stack: Shadow Stacks Without Shadow . . . . . . . . . . . . . . . . . . . . . . 338Jinfeng Li, Liwei Chen, Qizhen Xu, Linan Tian, Gang Shi, Kai Chen,and Dan Meng
Restructured Cloning Vulnerability Detection Based on Function SemanticReserving and Reiteration Screening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Weipeng Jiang, Bin Wu, Xingxin Yu, Rui Xue, and Zhengmin Yu
LegIoT: Ledgered Trust Management Platform for IoT . . . . . . . . . . . . . . . . 377Jens Neureither, Alexandra Dmitrienko, David Koisser,Ferdinand Brasser, and Ahmad-Reza Sadeghi
Machine Learning Security
PrivColl: Practical Privacy-Preserving Collaborative Machine Learning . . . . . 399Yanjun Zhang, Guangdong Bai, Xue Li, Caitlin Curtis, Chen Chen,and Ryan K. L. Ko
xxii Contents – Part I
An Efficient 3-Party Framework for Privacy-Preserving NeuralNetwork Inference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Liyan Shen, Xiaojun Chen, Jinqiao Shi, Ye Dong, and Binxing Fang
Deep Learning Side-Channel Analysis on Large-Scale Traces . . . . . . . . . . . . 440Loïc Masure, Nicolas Belleville, Eleonora Cagli,Marie-Angela Cornélie, Damien Couroussé, Cécile Dumas,and Laurent Maingault
Towards Poisoning the Neural Collaborative Filtering-BasedRecommender Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Yihe Zhang, Jiadong Lou, Li Chen, Xu Yuan, Jin Li, Tom Johnsten,and Nian-Feng Tzeng
Data Poisoning Attacks Against Federated Learning Systems . . . . . . . . . . . . 480Vale Tolpegin, Stacey Truex, Mehmet Emre Gursoy, and Ling Liu
Interpretable Probabilistic Password Strength Meters via Deep Learning. . . . . 502Dario Pasquini, Giuseppe Ateniese, and Massimo Bernaschi
Polisma - A Framework for Learning Attribute-Based AccessControl Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Amani Abu Jabal, Elisa Bertino, Jorge Lobo, Mark Law,Alessandra Russo, Seraphin Calo, and Dinesh Verma
A Framework for Evaluating Client Privacy Leakagesin Federated Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Wenqi Wei, Ling Liu, Margaret Loper, Ka-Ho Chow,Mehmet Emre Gursoy, Stacey Truex, and Yanzhao Wu
Network Security II
An Accountable Access Control Scheme for Hierarchical Content in NamedData Networks with Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Nazatul Haque Sultan, Vijay Varadharajan, Seyit Camtepe,and Surya Nepal
PGC: Decentralized Confidential Payment System with Auditability . . . . . . . 591Yu Chen, Xuecheng Ma, Cong Tang, and Man Ho Au
Secure Cloud Auditing with Efficient Ownership Transfer . . . . . . . . . . . . . . 611Jun Shen, Fuchun Guo, Xiaofeng Chen, and Willy Susilo
Privacy
Encrypt-to-Self: Securely Outsourcing Storage . . . . . . . . . . . . . . . . . . . . . . 635Jeroen Pijnenburg and Bertram Poettering
Contents – Part I xxiii
PGLP: Customizable and Rigorous Location Privacy ThroughPolicy Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
Yang Cao, Yonghui Xiao, Shun Takagi, Li Xiong, Masatoshi Yoshikawa,Yilin Shen, Jinfei Liu, Hongxia Jin, and Xiaofeng Xu
Where Are You Bob? Privacy-Preserving Proximity Testingwith a Napping Party. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Ivan Oleynikov, Elena Pagnin, and Andrei Sabelfeld
Password and Policy
Distributed PCFG Password Cracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701Radek Hranický, Lukáš Zobal, Ondřej Ryšavý, Dušan Kolář,and Dávid Mikuš
Your PIN Sounds Good! Augmentation of PIN Guessing Strategiesvia Audio Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
Matteo Cardaioli, Mauro Conti, Kiran Balagani, and Paolo Gasti
GDPR – Challenges for Reconciling Legal Rules with Technical Reality . . . . 736Mirosław Kutyłowski, Anna Lauks-Dutka, and Moti Yung
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
xxiv Contents – Part I
Contents – Part II
Formal Modelling
Automatic Generation of Sources Lemmas in TAMARIN: Towards AutomaticProofs of Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Véronique Cortier, Stéphanie Delaune, and Jannik Dreier
When Is a Test Not a Proof? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Eleanor McMurtry, Olivier Pereira, and Vanessa Teague
Hardware Fingerprinting for the ARINC 429 Avionic Bus . . . . . . . . . . . . . . 42Nimrod Gilboa-Markevich and Avishai Wool
Applied Cryptography I
Semantic Definition of Anonymity in Identity-Based Encryption and ItsRelation to Indistinguishability-Based Definition . . . . . . . . . . . . . . . . . . . . . 65
Goichiro Hanaoka, Misaki Komatsu, Kazuma Ohara, Yusuke Sakai,and Shota Yamada
SHECS-PIR: Somewhat Homomorphic Encryption-Based Compactand Scalable Private Information Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . 86
Jeongeun Park and Mehdi Tibouchi
Puncturable Encryption: A Generic Construction from Delegatable FullyKey-Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Willy Susilo, Dung Hoang Duong, Huy Quoc Le, and Josef Pieprzyk
Analyzing Attacks
Linear Attack on Round-Reduced DES Using Deep Learning . . . . . . . . . . . . 131Botao Hou, Yongqiang Li, Haoyue Zhao, and Bin Wu
Detection by Attack: Detecting Adversarial Samplesby Undercover Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Qifei Zhou, Rong Zhang, Bo Wu, Weiping Li, and Tong Mo
Big Enough to Care Not Enough to Scare! Crawling to AttackRecommender Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Fabio Aiolli, Mauro Conti, Stjepan Picek, and Mirko Polato
Active Re-identification Attacks on Periodically Released DynamicSocial Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Xihui Chen, Ema Këpuska, Sjouke Mauw, and Yunior Ramírez-Cruz
System Security II
Fooling Primality Tests on Smartcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Vladimir Sedlacek, Jan Jancar, and Petr Svenda
An Optimizing Protocol Transformation for Constructor Finite VariantTheories in Maude-NPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Damián Aparicio-Sánchez, Santiago Escobar, Raúl Gutiérrez,and Julia Sapiña
On the Privacy Risks of Compromised Trigger-Action Platforms . . . . . . . . . 251Yu-Hsi Chiang, Hsu-Chun Hsiao, Chia-Mu Yu,and Tiffany Hyun-Jin Kim
Plenty of Phish in the Sea: Analyzing Potential Pre-attack Surfaces . . . . . . . . 272Tobias Urban, Matteo Große-Kampmann, Dennis Tatang,Thorsten Holz, and Norbert Pohlmann
Post-quantum Cryptography
Towards Post-Quantum Security for Cyber-Physical Systems:Integrating PQC into Industrial M2M Communication . . . . . . . . . . . . . . . . . 295
Sebastian Paul and Patrik Scheible
CSH: A Post-quantum Secret Handshake Scheme from Coding Theory . . . . . 317Zhuoran Zhang, Fangguo Zhang, and Haibo Tian
A Verifiable and Practical Lattice-Based Decryption Mix Netwith External Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Xavier Boyen, Thomas Haines, and Johannes Müller
A Lattice-Based Key-Insulated and Privacy-Preserving SignatureScheme with Publicly Derived Public Key . . . . . . . . . . . . . . . . . . . . . . . . . 357
Wenling Liu, Zhen Liu, Khoa Nguyen, Guomin Yang, and Yu Yu
Post-Quantum Adaptor Signatures and Payment Channel Networks . . . . . . . . 378Muhammed F. Esgin, Oğuzhan Ersoy, and Zekeriya Erkin
Security Analysis
Linear-Complexity Private Function Evaluation is Practical . . . . . . . . . . . . . 401Marco Holz, Ágnes Kiss, Deevashwer Rathee, and Thomas Schneider
xxvi Contents – Part II
Certifying Decision Trees Against Evasion Attacks by Program Analysis . . . . 421Stefano Calzavara, Pietro Ferrara, and Claudio Lucchese
They Might NOT Be Giants Crafting Black-Box Adversarial ExamplesUsing Particle Swarm Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Rayan Mosli, Matthew Wright, Bo Yuan, and Yin Pan
Understanding Object Detection Through an Adversarial Lens . . . . . . . . . . . 460Ka-Ho Chow, Ling Liu, Mehmet Emre Gursoy, Stacey Truex,Wenqi Wei, and Yanzhao Wu
Applied Cryptography II
Signatures with Tight Multi-user Security from Search Assumptions . . . . . . . 485Jiaxin Pan and Magnus Ringerud
Biased RSA Private Keys: Origin Attribution of GCD-Factorable Keys . . . . . 505Adam Janovsky, Matus Nemec, Petr Svenda, Peter Sekan,and Vashek Matyas
MAC-in-the-Box: Verifying a Minimalistic Hardware Designfor MAC Computation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Robert Küennemann and Hamed Nemati
Evaluating the Effectiveness of Heuristic Worst-Case Noise Analysisin FHE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Anamaria Costache, Kim Laine, and Rachel Player
Blockchain I
How to Model the Bribery Attack: A Practical Quantification Methodin Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Hanyi Sun, Na Ruan, and Chunhua Su
Updatable Blockchains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590Michele Ciampi, Nikos Karayannidis, Aggelos Kiayias,and Dionysis Zindros
PrivacyGuard: Enforcing Private Data Usage Control with Blockchainand Attested Off-Chain Contract Execution . . . . . . . . . . . . . . . . . . . . . . . . 610
Yang Xiao, Ning Zhang, Jin Li, Wenjing Lou, and Y. Thomas Hou
Contents – Part II xxvii
Applied Cryptography III
Identity-Based Authenticated Encryption with Identity Confidentiality . . . . . . 633Yunlei Zhao
Securing DNSSEC Keys via Threshold ECDSA from Generic MPC . . . . . . . 654Anders Dalskov, Claudio Orlandi, Marcel Keller, Kris Shrishak,and Haya Shulman
On Private Information Retrieval Supporting Range Queries . . . . . . . . . . . . . 674Junichiro Hayata, Jacob C. N. Schuldt, Goichiro Hanaoka,and Kanta Matsuura
Blockchain II
2-hop Blockchain: Combining Proof-of-Work and Proof-of-Stake Securely. . . 697Tuyet Duong, Lei Fan, Jonathan Katz, Phuc Thai,and Hong-Sheng Zhou
Generic Superlight Client for Permissionless Blockchains. . . . . . . . . . . . . . . 713Yuan Lu, Qiang Tang, and Guiling Wang
LNBot: A Covert Hybrid Botnet on Bitcoin Lightning Network for Funand Profit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734
Ahmet Kurt, Enes Erdin, Mumin Cebe, Kemal Akkaya,and A. Selcuk Uluagac
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
xxviii Contents – Part II