by Fabio Martinelli (IIT-CNR) and Edgar Weippl (SBA Research)

Public interest in cybersecurity is on the rise, owing largely to the increasingly pervasive nature of cyber technologies and their ability to enhance our quality of life, affecting most of our activities (either visibly or in an invisibly). In the past, our interactions with PCs were limited to particular working activities. Now, even during our daily commutes, in our cars we are surrounded by hundreds of electronic control units (ECU), our mobile phones are next to us, and our smart watches observe and record every breath. 

by Ana Nieto, Rodrigo Roman and Javier Lopez (Universtity of Malaga)

We define the concept of ‘digital witness’; personal devices able to actively acquire, store and transmit digital evidence to an authorised entity, reliably and securely.
The growing density of networks formed by devices with heterogeneous capabilities and users with different profiles poses new challenges to cyber-security. One clear example of this is the Internet of Things (IoT) paradigm, where cyber-offenses – not only cyber-attacks – take place in very dynamic, polymorphic and even isolated scenarios [1]. There are too many devices to be controlled, and any device with minimal computing and communications capabilities can perpetrate cyber-attacks without leaving a trace. In such a scenario, and in order to clarify the facts of a cyber-crime scene, it is essential to collect and handle electronic evidence within a Chain of Custody (CoC). Yet this is a problem that is impossible to solve only with existing tools.

by Joppe W. Bos and Wil Michiels (NXP)

Secure software implementations in the ‘white-box attack model’ (where the user can be the adversary) are being used to secure smart devices. At NXP we have created a new technique for security assessment which allows one to efficiently extract the secret key from all publicly available white-box implementations. This highlights the risk of using such solutions for certain use-cases in practice.

by Nicolás Notario (Atos), Stephan Krenn (AIT), Bernd Zwattendorfer (Stiftung SIC ) and Felix Hörandner (TU Graz)

CREDENTIAL (seCuRE clouD idENTIty wALlet) is combining technological advances to create privacy-preserving data storage, data sharing and identity management services.

by Florian Dold and Christian Grothoff (Inria)

GNU Taler is a new digital payment system currently under development at INRIA. It aims to strike a balance between radically decentralised technologies – such as Bitcoin -- and traditional payment methods, while satisfying stricter ethical requirements, for example customer privacy, taxation of merchants and environmental consciousness through efficiency. GNU Taler also addresses micropayments, which are infeasible with currently used payment systems owing to high transaction costs.

by José Almeida, Manuel Barbosa, Hugo Pacheco and Vitor Pereira (INESC TEC)

Cryptography is an inherently interdisciplinary area and the development of high-quality cryptographic software is a time-consuming task drawing on skills from mathematics, computer science and electrical engineering, only achievable by highly skilled programmers. The challenge is to map high-level cryptographic specifications phrased using mathematical abstractions into efficient implementations at the level of C or assembly that can be deployed on a target computational platform, whilst adhering to the specification both in terms of correctness and security. The High Assurance Software Laboratory at INESC-TEC maintains a domain-specific toolchain for the specification, implementation and verification of cryptographic software centred on CAO, a cryptography analyses and operations-aware language.

by Nicolas Sendrier and Jean-Pierre Tillich (Inria)

Cryptography is one of the key tools for providing security in our quickly evolving technological society. An adversary with the ability to use a quantum computer would defeat most of the cryptographic solutions that are deployed today to secure our communications. We do not know when quantum computing will become available, but nevertheless, the cryptographic research community must get ready for it now. Code-based cryptography is among the few cryptographic techniques known to resist a quantum adversary.

by Colin Boyd, Gareth T. Davies, Kristian Gjøsteen (NTNU), Håvard Raddum and Mohsen Toorani (University of Bergen)

Most people and companies store important information using cloud storage services that are outside their direct control. The information may be personal, such as emails, photos and videos, medical records and financial information. How can we be sure that our data is safe from the prying eyes of cloud operators, other cloud users or outside agencies? How can we be sure that our data will remain available to us when we need it?

by Thomas Lorünser (AIT Austrian Institute of Technology GmbH), Daniel Slamanig (TU Graz), Thomas Länger (University of Lausanne) and Henrich C. Pöhls (Universiy of Passau)

The EU Horizon 2020 PRISMACLOUD research project is dedicated to enabling secure and trustworthy cloud-based services by improving and adopting novel tools from cryptographic research.

by Marc Stevens (CWI)

An international team of cryptanalysts from CWI, Inria and NTU Singapore broke the core of the SHA-1 internet security standard in October 2015. They projected that breaking SHA-1 is much cheaper and can be achieved earlier than international security experts expected, which gained a lot of attention in the media. The team urged the industry to retract the standard earlier than planned. Their results ensured that an industry ballot to extend the issuance of SHA-1 certificates was withdrawn.

by Marco Gramaglia (UC3M and IMDEA Networks) and Marco Fiore (CNR-IEIIT)

Pervasive mobile communications make it easy to track individuals, a practice that both fosters new knowledge and raises privacy concerns. The uniqueness of human mobility patterns is critical to the latter, as it facilitates user re-identification in naively anonymised datasets. We propose a solution that guarantees the indistinguishability of spatiotemporal trajectories - an important step towards the open access of privacy-preserving datasets.

by Nataliia Bielova, Frédéric Besson and Thomas Jensen (Inria)

Today’s Web users are continuously tracked as they browse the Web. One of the techniques for tracking is device fingerprinting that distinguishes users based on their Web browser and operating system properties. We propose solutions to detect and prevent device fingerprinting via runtime monitoring of JavaScript programs.

by Robert N. M, Watson, Simon W. Moore (University of Cambridge) and Peter G. Neumann (SRI International)

The CHERI hardware-software system has the potential to provide unprecedented security, reliability, assurance, ease of programmability, and compatibility.

by Andreas Konstantinidis, Georgios Chatzimilioudis and Demetrios Zeinalipour-Yazti (University of Cyprus)

Internet-based Indoor Navigation (IIN) services have recently received considerable attention, mainly because GPS technology is unavailable in indoor spaces and consumes considerable energy. On the other hand, predominant Smartphone OS localisation subsystems currently rely on server-side localisation processes, allowing the service provider to know the location of a user at all times. We have devised an innovative algorithm for protecting users from location tracking by the localisation service, without hindering the provision of fine-grained location updates on a continuous basis. Our proposed Temporal Vector Map (TVM) algorithm allows a user to accurately localise by exploiting a k-Anonymity Bloom (kAB) filter and a bestNeighbors generator of camouflaged localisation requests, both of which are shown to be resilient to a variety of privacy attacks.

by Stefano Cresci, Marinella Petrocchi, Maurizio Tesconi (IIT-CNR), Roberto Di Pietro (Nokia Bell Labs), and Angelo Spognardi, (DTU)

Inspired by biological DNA, we model the behaviour of online users as “Digital DNA” sequences, introducing a strikingly novel, simple, and effective approach to discriminate between genuine and spambot online accounts.

by Arthur Melissen (Coblue Cybersecurity)

Distributed role-based access control (RBAC) has become a standard for decentralised systems to manage authorisation across networks. While this model is effective at providing authorization, it fails in providing the flexibility and authorisation accountability that organisations require today. We present an extension to standard distributed RBAC mechanisms by adding an invitation and response dialogue in the assignment of roles to entities for distributed resources, such as collections of shared files. This approach offers more flexibility for delegating roles across administrative domains and increases transparency and confidence in the authorisation structure of distributed resources.

by Carmela Gambardella, (Hewlett Packard Enterprise Italy), Ilaria Matteucci, and Marinella Petrocchi (IIT-CNR)

An electronic data sharing agreement (DSA) is a human-readable, yet machine-processable contract, regulating how organisations and/or individuals share data. Its smooth definition and fluid lifecycle management are key aspects for enabling data protection in various contexts, from e-government to the provision of business and healthcare services, for example.

by Paolo Mori, Andrea Saracino (IIT-CNR) and Francesco Di Cerbo (SAP Labs France)

In the frame of the European project CoCoCloud  (Confidential and Compliant Clouds) we propose a distributed and general framework to enforce usage control policies on data shared in the cloud environment.

by Marco Tiloca, Christian Gehrmann and Ludwig Seitz (SICS)

The Datagram Transport Layer Security (DTLS) protocol is highly vulnerable to a form of denial-of-service attack (DoS), aimed at establishing a high number of invalid, half-open, secure sessions. Moreover, even when the efficient pre-shared key provisioning mode is considered, the key storage on the server side scales poorly with the number of clients. SICS Swedish ICT has designed a security architecture that efficiently addresses both issues without breaking the current standard.

by Thijs Veugen (TNO)

In the current age of information, with growing internet connectivity, people are looking for service providers to store their data, and compute with it. On the other hand, sensitive personal data is easily misused for unintended purposes. Wouldn’t it be great to have a scalable framework, where multiple users can upload personal data, which allows the servers to offer services on these data without ever revealing any data to the servers? TNO and CWI in the Netherlands have developed such a framework.

by Benjamin André (Cozy Cloud), Nicolas Anciaux, Philippe Pucheral and Paul Tran-Van (Inria)

We are witnessing an exponential accumulation of personal data on central servers: data automatically gathered by administrations, companies and web sites, but also data produced by individuals themselves and stored in the cloud for convenience (e.g., photos, agendas, raw data produced by smart appliances and quantified-self devices). Unfortunately, there are many examples of privacy violations arising from abusive use or attacks, and even the most secured servers are not spared.

by Ioannis Askoxylakis, Nikolaos Petroulakis, (FORTH), Vivek Kulkami and Florian Zeiger (Siemens)

The wind power industry is a good example of an industrial network with strict performance, security, and reliability requirements. The VirtuWind project aims to develop and demonstrate a software defined network (SDN) and network function virtualisation (NFV) ecosystem, based on an open, modular and secure framework.

by Fabrizio Biondi, Sébastien Josse, and Axel Legay (Inria)

Black-box synthesis is more efficient than SMT deobfuscation on predicates obfuscated with Mixed-Boolean Arithmetics.

by Dimitris E. Simos (SBA Research)

The SPLIT project applies methods from the field of combinatorial (interaction) testing and model-based testing with the aim of providing quality assurance to software security protocols. The project thus makes a significant contribution towards protecting the information of communicating parties in a digitally connected society.

by Philippe Antoine, Guillaume Bonfante and Jean-Yves Marion (Loria)

Binary code analysis is a complex process that can only be performed by skilled cybersecurity experts whose workload just keeps increasing. Gorille greatly speeds up their daily routines, while providing them with more in-depth knowledge.

by Nisrine Jafri, Axel Legay and Jean-Louis Lanet (Inria)

Fault-injection exploits hardware weaknesses to perturbate the behaviour of embedded devices. Here, we present new model-based techniques and tools to detect such attacks developed at the High-Security Laboratory at Inria.

by Valérie Viet Triem Tong (CentraleSupelec), Jean François Lalande (INSA Centre Val de Loire) and Mourad Leslous (Inria)
 
The best protection against malware is to execute it: a security paradox.

by Vicente Matellán, Francisco J. Rodríguez –Lera and Jesús Balsa (University of Léon)

The robotics industry is set to suffer the same problems the computer industry has been facing in recent decades. This is particularly disturbing for critical tasks such as those performed by surgical, or military robots, but it is also challenging for the ostensibly benign household robots such as vacuum cleaners and tele-conference bots. What would happen if these robots were hacked? At RIASC (Research Institute in Applied Science in CyberSecurity) we are working on tools and countermeasures against cyber attacks in cyber-physical systems.

by Christophe Ponsard, Philippe Massonet and Gautier Dallons (CETIC)

Many safety critical systems, like transportation systems, are integrating more and more software based systems and are becoming connected. In some domains, such as automotive and rail, software is gradually taking control over human operations, and vehicles are evolving towards being autonomous. Such cyber-physical systems require high assurance on two interrelated properties: safety and security. In this context, safety and security can be co-engineered based on sound techniques borrowed from goal-oriented requirements engineering (RE).

by Marcel Caria, TU Braunschweig

SHARCS (Secure Hardware-Software Architecture for Robust Computing Systems) is defining new ways to create more secure and trustworthy ICT systems.
We are currently witnessing a tremendous expansion of computerisation – of ‘smart’ entities and devices - in multiple new areas, such as health care (smart medical implants), automotive (smart cars), urban development (smart cities), power supply (smart grids), and others. This development is inevitably leading society as a whole, and the individuals within it, to increasingly rely on critical applications that sense and control systems in our physical environment. These ‘cyber-physical’ systems (CPS) use a blend of embedded devices and traditional computing systems, and a variety of communication channels. Our increasing reliance on these systems necessitates improved security [1].

by Evangelos Markatos (ICS-FORTH), Egidija Veršinskienė and Evaldas Bružė (L3CE)

Having exceeded the size of 75 Billion USD in 2015, the worldwide size of the cybersecurity market is expected to reach 170 USD in 2020 increasing rapidly year after year [1]. This market is fueled mainly by cybercrime [2] which has recently reached a cost of 445 billion USD  [3]. If left unchecked, cybercrime will have devastating consequences for the development and deployment of our digital society.

by Ernő Rigó and Mihály Héder (MTA SZTAKI)

This article introduces a network of advanced internet honeypot probes for gaining situational awareness relating to cyber-attacks. The system is being built on behalf of Hun-CERT. The project is run by MTA SZTAKI and is sponsored by the Council of Hungarian Internet Providers (CHIP).

by Anže Žitnik (XLAB), Antonio Álvarez Romero (ATOS) and Stephanie Parker (TRUST-IT)

As one of the outputs of the WISER project, CyberWISER-Light provides a quick way for SMEs to make a first assessment of their cyber risk status.

by Florian Skopik, Maria Leitner and Timea Pahi (AIT Austrian Institute of Technology)

The final draft of the Network and Information Security (NIS) Directive stipulates that operators of essential services and digital service providers must report certain security incidents to competent authorities or national computer security incident response teams (CSIRTs) in their member state. It is the authorities’ job to collect and process information about security incidents to increase network security in all organisations by issuing early warnings, assisting in mitigation actions, or distributing recommendations and best practices. However, before an appropriate response to a severe cyber situation can be undertaken, it is essential to establish cyber situational awareness – which turns out to be a tricky task.

by Martin Schmiedecker and Sebastian Neuner (SBA Research)

Digital rensic investigators currently face numerous challenges, some of which include: the increased digitalisation of our lives, vast case sizes owing to ever increasing storage capacity and the large number of personal devices in use. The goal of our SpeedFor project is to develop new methodologies to reduce the manual work required for digital investigators. Among other things we harvest information from file sharing networks to identify files by extending the forensic process. In an initial proof-of-concept we obtained information from the BitTorrent network to identify up to 2,500 terabytes of data.

by László Havasi and Tamás Szirányi (MTA SZTAKI)

The Distributed Events Analysis Research Laboratory (DEVA) has more than 10 years of research experience in security and surveillance, including multi-view systems of optical, thermal, infra-red and time-of-flight cameras, as well as LIDAR sensors. The laboratory’s research and development work has been addressing critical issues of surveillance systems regarding the protection of critical infrastructures against incursions and terrorist attacks.