Notes of PST2012: Day 2

As for yesterday, these notes reflect what pinged my interest and do not attempt to be non-biased, exhaustive reporting of the presentations.

Co-utility: rational cooperation for privacy, security and functionality in the information society (J. Domingo Ferrer , University of Tarragona)

He started with an environmental analogy: privacy  preservation is essential and should be sustainable for the survival of information society.   To limit privacy “pollution”, he proposes reducing identifiable information, reusing data to reduce utility,

He uses the game theory to define co-utility; Co-utility means that the two players have the best strategy if they are cooperating.  Using different equilibriums, he defines Nash, Mixed Nashed, or Stackelberg (when one player can impose his strategy to the rest of the players) co-utility. 

Application to PIR applications

Currently PIR assumes cooperation of database which is not always true. ( Not true if using Zero-Knowledge such as Micahli)  Potential solutions:

  • Standalone approach: Track Me not  generates fake queries or adding fake keywords
  • P2P: reuse queries submitted by other users.  He explores this venue.  If each player collaborates by submitting queries of the other players to flatten his profile (Nash equilibrium)

Trust session

Building robust reputation systems for travel-related services (H. DUAN, Heidelberg)

How to stop manipulation that inject fake reviews (promoting, demoting, system destructor)

The idea was to use the review helpfulness  as a reputation measurement.  They did not use textual analysis.  It was OK for one set (New York City) and  not for another town.

They were challenged on how they distinguished promoter, demoter from innocent reviewers.

Collaborative Trust Evaluation for Wiki Security

The issue is that malicious or incompetent contributors may modify documents. (Estimation 4-6% contribution of Wikipedia is vandalism)

Security Wiki Model is a layered model with promotion of authors on the quality of their contributions.  A document has an integrity level  (IL) and only author with higher quality level can contribute.  The author attributes the first IL (necessarily less or equal  his level)

Author increases his reputation by reviewing that are validated by other reviewers

Very conservative approach.

The theory of creating trust with untrusty principals  (J. Viehmann, Fraunhoffer)

State of the art: Vote, democratic vote (majority), centralized Trusted Third Party

Using game theory  with peer monitoring to detect manipulation in different cases:

  • plain
  • Law enforced
  • using mistrust (by testing through fake requests to see if somebody is trustworthy)

Theoretical, no real experiment to test the reaction of users.

Security Session

Effects of displaying access control information near the item it controls (K. Vaniea, Carnegie Mellon)

They tried on gallery with distinction between everybody, co-workers, friends and family.

When the icon is near the picture it has better effect than in sidebar.   It has no better memory retention impact.

Detecting JavaScript-based attacks in pdf file (Schmitt F., University of Bonn)

Static detection is not sufficient if the code is building a malicious code. 

The attack is typical with heap spraying, calling a vulnerable API method with the return address being overwritten.

They use PDF scrutinizer that has a JavaScript emulator, a reader emulator without actual rendering.

Interesting detectors: heap spray detector observes strings added to an array too often and with the same identical strings.

Automatic Detection of Session Management Vulnerabilities in Web Applications (Y. Takamatsu, Japan)

Typical attack with session fixation and cross site Request Forgery (CSRF)

They implemented a plug-in for Amberate to detect these vulnerabilities.  Not convincing as it created false positives on PhPNuke

Leave a Reply

Your email address will not be published. Required fields are marked *