Onion Information

Page Clicks: 0

First Seen: 03/12/2024

Last Indexed: 10/22/2024

Domain Index Total: 24

Publications 2024 M. Schwaighofer, M. Roland, and R. Mayrhofer: “Extending Cloud Build Systems to Eliminate Transitive Trust” , in Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED ‘24) , Salt Lake City, UT, USA , ACM , 2024 . Accepted for publication . DOI preprint SCORED '24 Event ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED ‘24) Salt Lake City, UT, USA 18 October 2024 Abstract Trusting the output of a build process requires trusting the build process itself, and the build process of all inputs to that process, and so on. Cloud build systems, like Nix or Bazel, allow their users to precisely specify the build steps making up the intended software supply chain, build the desired outputs as specified, and on this basis delegate build steps to other builders or fill shared caches with their outputs. Delegating build steps or consuming artifacts from shared caches, however, requires trusting the executing builders, which makes cloud build systems better suited for centrally managed deployments than for use across distributed ecosystems. We propose two key extensions to make cloud build systems better suited for use in distributed ecosystems. Our approach attaches metadata to the existing cryptographically secured data structures and protocols, which already link build inputs and outputs for the purpose of caching. Firstly, we include builder provenance data, recording which builder executed the build, its software stack, and a remote attestation, making this information verifiable. Secondly, we include a record of the outcome of how the builder resolved each dependency. Together, these two measures eliminate transitive trust in software dependencies, by enabling users to perform verification of transitive dependencies independently, and against their own criteria, at time of use. Finally, we explain how our proposed extensions could theoretically be implemented in Nix in the future. @inproceedings{bib:2024-schwaighofer-scored, title = {{Extending Cloud Build Systems to Eliminate Transitive Trust}}, author = {Schwaighofer, Martin and Roland, Michael and Mayrhofer, René}, booktitle = {Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED '24)}, location = {Salt Lake City, UT, USA}, numpages = {10}, publisher = {ACM}, doi = {10.1145/3689944.3696169}, year = {2024}, month = OCT, note = {Accepted for publication} } E. Leierzopf, M. Roland, R. Mayrhofer, W. Studier, L. Dean, M. Seiffert, F. Putz, L. Becker, and D. R. Thomas: “A Data-Driven Evaluation of the Current Security State of Android Devices” , in 2024 IEEE Conference on Communications and Network Security (CNS) , Taipei, Taiwan , IEEE , 2024 . Accepted for publication . IEEE CNS 2024 Event IEEE Conference on Communications and Network Security (CNS 2024) Taipei, Taiwan 30 September - 03 October 2024 Abstract Android’s fast-paced development cycles and the large number of devices from different manufacturers do not allow for an easy comparison between different devices’ security and privacy postures. Manufacturers each adapt and update their respective firmware images. Furthermore, images published on OEM websites do not necessarily match those installed in the field. Relevant software security and privacy aspects do not remain static after initial device release, but need to be measured on live devices that receive these updates. There are various potential sources for collecting such attributes, including webscraping, crowdsourcing, and dedicated device farms. However, raw data alone is not helpful in making meaningful decisions on device security and privacy. We make available a website to access collected data. Our implementation focuses on reproducible requests and supports filtering by OEMs, devices, device models, and displayed attributes. To improve usability, we further propose a security score based on the list of attributes. Based on input from Android experts, including a focus group and eight individuals, we have created a method that derives attribute weights from the importance of attributes for mitigating threats on the Android platform. We derive weightings for general use cases and suggest possible examples for more specialist weightings for groups of confidentiality/privacy-sensitive users and integrity-sensitive users. Since there is no one-size-fits-all setting for Android devices, our website provides the possibility to adapt all parameters of the calculated security score to individual needs. @inproceedings{bib:2024-leierzopf-cns, title = {{A Data-Driven Evaluation of the Current Security State of Android Devices}}, author = {Leierzopf, Ernst and Roland, Michael and Mayrhofer, René and Studier, Wolfgang and Dean, Lawrence and Seiffert, Martin and Putz, Florentin and Becker, Lucas and Thomas, Daniel R.}, booktitle = {2024 IEEE Conference on Communications and Network Security (CNS)}, location = {Taipei, Taiwan}, numpages = {9}, publisher = {IEEE}, year = {2024}, month = SEP, note = {Accepted for publication} } P. Hofer: “Enhancing Privacy-Preserving Biometric Authentication through Decentralization” , Ph.D. thesis , Johannes Kepler University Linz, Institute of Networks and Security , Linz, Austria , 2024 . Advisors: R. Mayrhofer, K. Van Laerhoven, and M. Roland . JKU ePUB fulltext Abstract This thesis explores the potential of decentralized technologies for enhancing privacy and operational efficiency within biometric authentication systems. The widespread use of centralized biometric systems is associated with significant risks, such as data breaches and privacy violations, highlighted by vulnerabilities in systems like India’s Aadhaar. Promoting a shift towards decentralized frameworks, it allows users to control where their personal data is stored, aiming to reduce the risks of large-scale unauthorized access. This research aims to enhance biometric systems for embedded devices through a holistic approach that progresses systematically from individual data elements, specifically embeddings, to complete application scenarios utilizing state-of-the-art technologies. The study begins by reducing the embedding size by 96 %, substantially increasing the processing efficiency of personal identifiers. Subsequently, the focus shifts to optimizing the most time-intensive component of the sensor by incorporating multiple face detection models that enhance specific operational efficiencies. Furthermore, developing a domain-specific sensor language allows for a precise definition of performance standards across various applications, facilitating a tailored and fully realized implementation that meets real-world requirements. Testing a real-world prototype with cameras that incorporate the suggested improvements validates the effectiveness of decentralized biometric systems. This research demonstrates practical, efficient, and decentralized methods for authentication, making a significant contribution to the field and setting the stage for future studies in secure digital solutions focused on privacy. @phdthesis{bib:2024-hofer-phdthesis, title = {{Enhancing Privacy-Preserving Biometric Authentication through Decentralization}}, author = {Hofer, Philipp}, school = {Johannes Kepler University Linz, Institute of Networks and Security}, advisor = {Mayrhofer, René and Van Laerhoven, Kristof and Roland, Michael}, numpages = {158}, address = {Linz, Austria}, year = {2024}, month = SEP } P. Hofer, M. Roland, and R. Mayrhofer: “BioDSSL: A Domain Specific Sensor Language for Global, Distributed, Biometric Identification Systems” , in 2024 IEEE 12th International Conference on Intelligent Systems (IS) , Varna, Bulgaria , IEEE , pp. 1-​7 , 2024 . DOI fulltext IEEE IS'24 Event 12th IEEE International Conference on Intelligent Systems (IS'24) Varna, Bulgaria 29-31 August 2024 Abstract With biometric identification systems becoming increasingly ubiquitous, their complexity is escalating due to the integration of diverse sensors and modalities, aimed at minimizing error rates. The current paradigm for these systems involves hard-coded aggregation instructions, presenting challenges in system maintenance, scalability, and adaptability. These challenges become particularly prominent when deploying new sensors or adjusting security levels to respond to evolving threat models. To address these concerns, this research introduces BioDSSL, a Domain Specific Sensor Language to simplify the integration and dynamic adjustment of security levels in biometric identification systems. Designed to address the increasing complexity due to diverse sensors and modalities, BioDSSL promotes system maintainability and resilience while ensuring a balance between usability and security for specific scenarios. Furthermore, it facilitates decentralization of biometric identification systems, by improving interoperability and abstraction. Decentralization inherently disperses the concentration of sensitive biometric data across various nodes, which could indirectly enhance privacy protection and limit the potential damage from localized security breaches. Therefore, BioDSSL is not just a technical improvement, but a step towards decentralized, resilient, and more secure biometric identification systems. This approach holds the promise of indirectly improving privacy while enhancing the reliability and adaptability of these systems amidst evolving threat landscapes and technological advancements. @inproceedings{bib:2024-hofer-ieeeis, title = {{BioDSSL: A Domain Specific Sensor Language for Global, Distributed, Biometric Identification Systems}}, author = {Hofer, Philipp and Roland, Michael and Mayrhofer, René}, booktitle = {2024 IEEE 12th International Conference on Intelligent Systems (IS)}, location = {Varna, Bulgaria}, pages = {1--7}, numpages = {7}, publisher = {IEEE}, doi = {10.1109/IS61756.2024.10705276}, year = {2024}, month = AUG } P. Peterseil, B. Etzlinger, J. Horáček, R. Khanzadeh, and A. Springer: “Trustworthiness for an Ultra-Wideband Localization Service” , Sensors 24 , 16 , Article 5268 , 2024 . DOI fulltext Sensors Abstract Trustworthiness assessment is an essential step to assure that interdependent systems perform critical functions as anticipated, even under adverse conditions. In this paper, a holistic trustworthiness assessment framework for ultra-wideband self-localization is proposed, including the attributes of reliability, security, privacy, and resilience. Our goal is to provide guidance for evaluating a system’s trustworthiness based on objective evidence, i.e., so-called trustworthiness indicators. These indicators are carefully selected through the threat analysis of the particular system under evaluation. Our approach guarantees that the resulting trustworthiness indicators correspond to chosen real-world threats. Moreover, experimental e...