Whereas user-facing applications are often written in modern languages, the firmware, operating system, support libraries, and virtual machines that underpin just about any modern computer system are still written in low-level languages that value flexibility and performance over convenience and safety. Programming errors in low-level code are often exploitable and can, in the worst case, give adversaries unfettered access to the compromised host system. This book provides an introduction to and overview of automatic software diversity techniques that, in one way or another, use randomization to greatly increase the difficulty of exploiting the vast amounts of low-level code in existence. Diversity-based defenses are motivated by the observation that a single attack will fail against multiple targets with unique attack surfaces. We introduce the many, often complementary, ways that one can diversify attack surfaces and provide an accessible guide to more than two decades worth of research on the topic. We also discuss techniques used in conjunction with diversity to prevent accidental disclosure of randomized program aspects and present an in-depth case study of one of our own diversification solutions.

This book provides an in-depth look at return-oriented programming attacks. It explores several conventional return-oriented programming attacks and analyzes the effectiveness of defense techniques including address space layout randomization (ASLR) and the control-flow restrictions implemented in security watchdogs such as Microsoft EMET. Chapters also explain the principle of control-flow integrity (CFI), highlight the benefits of CFI and discuss its current weaknesses. Several improved and sophisticated return-oriented programming attack techniques such as just-in-time return-oriented programming are presented. Building Secure Defenses against Code-Reuse Attacks is an excellent reference tool for researchers, programmers and professionals working in the security field. It provides advanced-level students studying computer science with a comprehensive overview and clear understanding of important runtime attacks.

Today, embedded systems are used in many security-critical applications, from access control, electronic tickets, sensors, and smart devices (e.g., wearables) to automotive applications and critical infrastructures. These systems are increasingly used to produce and process both security-critical and privacy-sensitive data, which bear many security and privacy risks. Establishing trust in the underlying devices and making them resistant to software and hardware attacks is a fundamental requirement in many applications and a challenging, yet unsolved, task. Solutions solely based on software can never ensure their own integrity and trustworthiness while resource-constraints and economic factors often prevent the integration of sophisticated security hardware and cryptographic co-processors. In this context, Physically Unclonable Functions (PUFs) are an emerging and promising technology to establish trust in embedded systems with minimal hardware requirements. This book explores the design of trusted embedded systems based on PUFs. Specifically, it focuses on the integration of PUFs into secure and efficient cryptographic protocols that are suitable for a variety of embedded systems. It exemplarily discusses how PUFs can be integrated into lightweight device authentication and attestation schemes, which are popular and highly relevant applications of PUFs in practice. For the integration of PUFs into secure cryptographic systems, it is essential to have a clear view of their properties. This book gives an overview of different approaches to evaluate the properties of PUF implementations and presents the results of a large scale security analysis of different PUF types implemented in application-specific integrated circuits (ASICs). To analyze the security of PUF-based schemes as is common in modern cryptography, it is necessary to have a security framework for PUFs and PUF-based systems. In this book, we give a flavor of the formal modeling of PUFs that is in its beginning and that is still undergoing further refinement in current research. The objective of this book is to provide a comprehensive overview of the current state of secure PUF-based cryptographic system design and the related challenges and limitations. Table of Contents: Preface / Introduction / Basics of Physically Unclonable Functions / Attacks on PUFs and PUF-based Systems / Advanced PUF Concepts / PUF Implementations and Evaluation / PUF-based Cryptographic Protocols / Security Model for PUF-based Systems / Conclusion / Terms and Abbreviations / Bibliography / Authors' Biographies

Recently, mobile security has garnered considerable interest in both the research community and industry due to the popularity of smartphones. The current smartphone platforms are open systems that allow application development, also for malicious parties. To protect the mobile device, its user, and other mobile ecosystem stakeholders such as network operators, application execution is controlled by a platform security architecture. This book explores how such mobile platform security architectures work. We present a generic model for mobile platform security architectures: the model illustrates commonly used security mechanisms and techniques in mobile devices and allows a systematic comparison of different platforms. We analyze several mobile platforms using the model. In addition, this book explains hardware-security mechanisms typically present in a mobile device. We also discuss enterprise security extensions for mobile platforms and survey recent research in the area of mobile platform security. The objective of this book is to provide a comprehensive overview of the current status of mobile platform security for students, researchers, and practitioners.

This book constitutes the thoroughly refereed post-conference proceedings of the 17th International Conference on Financial Cryptography and Data Security (FC 2013), held at Bankoku Shinryokan Busena Terrace Beach Resort, Okinawa, Japan, April 1-5, 2013. The 14 revised full papers and 17 short papers were carefully selected and reviewed from 125 submissions. The papers are grouped in the following topical sections: electronic payment (Bitcoin), usability aspects, secure computation, passwords, privacy primitives and non-repudiation, anonymity, hardware security, secure computation and secret sharing, authentication attacks and countermeasures, privacy of data and communication, and private data retrieval.

Hardware-intrinsic security is a young field dealing with secure secret key storage. By generating the secret keys from the intrinsic properties of the silicon, e.g., from intrinsic Physical Unclonable Functions (PUFs), no permanent secret key storage is required anymore, and the key is only present in the device for a minimal amount of time. The field is extending to hardware-based security primitives and protocols such as block ciphers and stream ciphers entangled with the hardware, thus improving IC security. While at the application level there is a growing interest in hardware security for RFID systems and the necessary accompanying system architectures. This book brings together contributions from researchers and practitioners in academia and industry, an interdisciplinary group with backgrounds in physics, mathematics, cryptography, coding theory and processor theory. It will serve as important background material for students and practitioners, and will stimulate much further research and development.

This book constitutes the refereed proceedings of the 11th International Conference on Cryptology and Network Security, CANS 2012, held in Darmstadt, Germany, in December 2012. The 22 revised full papers, presented were carefully reviewed and selected from 99 submissions. The papers are organized in topical sections on cryptanalysis; network security; cryptographic protocols; encryption; and s-box theory.

The concept of trust is related to many aspects of our daily lives, and different stakeholders use the term "trust" in various contexts. Trust is crucial in today's information societies for ensuring success of digital economies in all countries and regions. This book contains papers that were presented at the conference "Future of Trust in Computing" and brings together academics, regulators, technologists, and practitioners working in diverse areas of trust from various parts of the world. The authors discuss issues they are facing and begin to form a common framework. Security and privacy threats and remedies, core trust-enforcing technologies, innovative applications, regulatory issues, privacy and usability, economics as well as provable security and assurance are discussed. Finally, a number of papers touch upon innovative approaches to trust that begin to define new fields of research and innovative types of technologies.

The Western European Workshop on Research in Cryptology (WEWoRC 2007) was the second of its kind. It was organizedas a joint venture between the Horst G] ortzInstituteforSecurityinInformationSystems(HGI), andtheSpecialInt- est Groupon Cryptology(FG Krypto) of the German Computer Science Society (Gesellschaft fu ]r Informatik e.V.). The aim was to bring together researchers in the?eldofcryptology.TheworkshopfocusedonresearchfromMastersandPhD students, and brought them together with more experienced senior researchers. The ?rst workshop (WEWoRC 2005) was held in Leuven. WEWoRC 2007 was held in the German Ruhr region, more particularly in Bochum, during July 4-6, 2007. Formerly a mining town, Bochum is currently growing into a knowledge-based economy. Aided by the city council, IT se- rity is a special focus for economic development. Hence, it provided the perfect scenery for hosting this event. In total, we had 81 participants from 13 di?- ent countries (Belgium, Finland, France, Germany, Iran, Japan, Luxembourg, Malawi, Slovenia, Taiwan, Tunisia, UK, USA)."

This book constitutes the refereed proceedings of the 14th International Conference on Applied Cryptography and Network Security, ACNS 2016, held in Guildford, UK. in June 2016. 5. The 35 revised full papers included in this volume and presented together with 2 invited talks, were carefully reviewed and selected from 183 submissions.ACNS is an annual conference focusing on innovative research and current developments that advance the areas of applied cryptography, cyber security and privacy.

This book constitutes the refereed post-proceedings of the 10th Workshop on RFID Security and Privacy, RFIDSec 2014, held in Oxford, UK, in 2014. The 9 revised full papers and 4 short papers presented in this volume were carefully reviewed and selected from 27 submissions. The papers deal with topics such as RFID power-efficiency, privacy, authentication and side channels, and key exchange.

Hardware-intrinsic security is a young field dealing with secure secret key storage. By generating the secret keys from the intrinsic properties of the silicon, e.g., from intrinsic Physical Unclonable Functions (PUFs), no permanent secret key storage is required anymore, and the key is only present in the device for a minimal amount of time. The field is extending to hardware-based security primitives and protocols such as block ciphers and stream ciphers entangled with the hardware, thus improving IC security. While at the application level there is a growing interest in hardware security for RFID systems and the necessary accompanying system architectures. This book brings together contributions from researchers and practitioners in academia and industry, an interdisciplinary group with backgrounds in physics, mathematics, cryptography, coding theory and processor theory. It will serve as important background material for students and practitioners, and will stimulate much further research and development.

This book constitutes the thoroughly refereed post-workshop proceedings of the 11th International Workshop on Information Hiding, IH 2009, held in Darmstadt, Germany, in June 2009.

The 19 revised full papers presented were carefully reviewed and selected from 55 submissions. The papers are organized in topical sections on steganography, steganalysis, watermarking, fingerprinting, hiding in unusual content, novel applications and forensics.

As human activities moved to the digital domain, so did all the well-known malicious behaviors including fraud, theft, and other trickery. There is no silver bullet, and each security threat calls for a specific answer. One specific threat is that applications accept malformed inputs, and in many cases it is possible to craft inputs that let an intruder take full control over the target computer system. The nature of systems programming languages lies at the heart of the problem. Rather than rewriting decades of well-tested functionality, this book examines ways to live with the (programming) sins of the past while shoring up security in the most efficient manner possible. We explore a range of different options, each making significant progress towards securing legacy programs from malicious inputs. The solutions explored include enforcement-type defenses, which excludes certain program executions because they never arise during normal operation. Another strand explores the idea of presenting adversaries with a moving target that unpredictably changes its attack surface thanks to randomization. We also cover tandem execution ideas where the compromise of one executing clone causes it to diverge from another thus revealing adversarial activities. The main purpose of this book is to provide readers with some of the most influential works on run-time exploits and defenses. We hope that the material in this book will inspire readers and generate new ideas and paradigms.

As human activities moved to the digital domain, so did all the well-known malicious behaviors including fraud, theft, and other trickery. There is no silver bullet, and each security threat calls for a specific answer. One specific threat is that applications accept malformed inputs, and in many cases it is possible to craft inputs that let an intruder take full control over the target computer system. The nature of systems programming languages lies at the heart of the problem. Rather than rewriting decades of well-tested functionality, this book examines ways to live with the (programming) sins of the past while shoring up security in the most efficient manner possible. We explore a range of different options, each making significant progress towards securing legacy programs from malicious inputs. The solutions explored include enforcement-type defenses, which excludes certain program executions because they never arise during normal operation. Another strand explores the idea of presenting adversaries with a moving target that unpredictably changes its attack surface thanks to randomization. We also cover tandem execution ideas where the compromise of one executing clone causes it to diverge from another thus revealing adversarial activities. The main purpose of this book is to provide readers with some of the most influential works on run-time exploits and defenses. We hope that the material in this book will inspire readers and generate new ideas and paradigms.

Cloud services have revolutionized computing in the modern world. In an increasingly networked ecosystem, it is commonplace for enterprises and private parties alike to leverage cloud services for storage and compute. The most obvious benefits include scalability, increased availability, and the potential for reduced costs when compared to lower-scale on premise infrastructures. In addition, cloud-hosted data (and compute) is accessible across platforms and is not limited by geographical constraints making collaboration attractively viable. However, the benefits of outsourcing data and computation come with security and privacy concerns. This monograph explores the advances in cloud security research across both industry and academia, with a special focus on secure infrastructure, services and storage. Besides overviewing the state of the art, the monograph highlights open problems, and possible future research directions. Cloud security is a broad topic encompassing concepts from a large cross section of domains. To make this monograph concise and meaningful, several topics and challenges that are almost entirely specific to clouds are covered. For this reason, general computing security topics such as intrusion detection, software protection, phishing etc. are excluded. While these are important building blocks that need to be considered in an end-to-end cloud-centric design, they have been extensively addressed elsewhere. The publication is divided into three parts based on a broad clustering into hardware, computation, and storage. The monograph should appeal to researchers, students and professionals who work on Cloud Computing in general, and Cloud Security specifically.