Side-channel information leakage is a known limitation of SGX. Researchers have demonstrated that secret-dependent can be extracted from enclave execution through page-fault access patterns. Consequently, various recent research efforts are actively seeking countermeasures to SGX side-channel attacks. It widely assumed may vulnerable other side channels, such as cache pattern monitoring, well. However, prior our work, the practicality and extent was not studied. In this paper we demonstrate...

Recently several researchers and practitioners have begun to address the problem of how set up secure communication between two devices without assistance a trusted third party. McCune et al., (2005) proposed that one device displays hash its public key in form barcode, other reads it using camera. Mutual authentication requires switching roles repeating above process reverse direction. In this paper, we show strong mutual can be achieved even with unidirectional visual channel, having...

In this paper, we present findings from a largescale and long-term phishing experiment that conducted in collaboration with partner company. Our ran for 15 months during which time more than 14,000 study participants (employees of the company) received different simulated emails their normal working context. We also deployed reporting button to company's email client allowed report suspicious they received. measured click rates emails, dangerous actions such as submitting credentials,...

Securely storing and using credentials is critical for ensuring the security of many modern distributed applications. Existing approaches to address this problem fall short. User memorizable passwords are flexible cheap, but they suffer from bad usability low security. On other hand, dedicated hardware tokens provide high levels security, logistics manufacturing provisioning such expensive, which makes them unattractive most service providers. A new approach has become possible due fact that...

Hardware-based trusted execution environments (TEEs) have been available in mobile devices for more than a decade, but their use has limited. The On-board Credential system safely opens up TEEs so application developers can functionality to improve security and usability.

We propose a novel location-based second-factor authentication solution for modern smartphones. demonstrate our in the context of point sale transactions and show how it can be effectively used detection fraudulent caused by card theft or counterfeiting. Our scheme makes use Trusted Execution Environments (TEEs), such as ARM TrustZone, commonly available on smartphones, resists strong attackers, even those capable compromising victim phone applications OS. It does not require any changes...

A trusted execution environment (TEE) is a secure processing that isolated from the normal where device operating system and applications run. The first mobile phones with hardware-based TEEs appeared almost decade ago, today every smartphone tablet contains TEE like ARM TrustZone. Despite such large-scale deployment, use of functionality has been limited for developers. With emerging standardization this situation about to change. In tutorial, we explain security features provided by...

Traditional approaches for communication security do not work well in disruption- and delay-tolerant networks (DTNs). Recently, the use of identity-based cryptography (IBC) has been proposed as one way to help solve some DTN issues. We analyze applicability IBC this context conclude that authentication integrity, no significant advantage over traditional cryptography, but it can indeed enable better ways providing confidentiality. Additionally, we show a bootstrapping needed associations...

Smart contracts are programmable, decentralized and transparent financial applications. Because smart contract platforms typically support Turing-complete programming languages, such systems often said to enable arbitrary However, the current permissionless impose heavy restrictions on types of computations that can be implemented. For example, globally-replicated sequential execution model Ethereum requires low gas limits make many infeasible.

Recent research has demonstrated that Intel's SGX is vulnerable to software-based side-channel attacks. In a common attack, the adversary monitors CPU caches infer secret-dependent data accesses patterns. Known defenses have major limitations, as they require either error-prone developer assistance, incur extremely high runtime overhead, or prevent only specific this paper, we propose location randomization novel defense against attacks target access Our goal break link between memory...

Trusted computing technologies for mobile devices have been researched, developed, and deployed over the past decade. Although their use has limited so far, ongoing standardization may change this by opening up these easy access developers users. In survey, we describe current state of trusted solutions from research, standardization, deployment perspectives.

Mobile application spoofing is an attack where a malicious mobile app mimics the visual appearance of another one. A common example phishing adversary tricks user into revealing her password to that resembles legitimate In this paper, we propose novel detection approach, tailored protection login screens, using screenshot extraction and similarity comparison. We use deception rate as metric for measuring how likely consider potential one protected applications. conducted large-scale online...

Due to the popularity of blockchain-based cryptocurrencies, increasing digitalization payments, and constantly reducing role cash in society, central banks have shown an increased interest deploying bank digital currencies (CBDCs) that could serve as a cash-equivalent. While most recent research on CBDCs focuses blockchain technology, it is not clear this choice technology provides optimal solution. In particular, centralized trust model CBDC offers opportunities for different designs....

Central banks around the world are exploring and in some cases even piloting Bank Digital Currencies (CBDCs). CBDCs promise to realize a broad range of new capabilities, including direct government disbursements citizens, frictionless consumer payment money-transfer systems, financial instruments monetary policy levers. also give rise, however, host challenging technical goals design questions that qualitatively quantitatively different from those existing systems. A well-functioning CBDC...

"Pairing" is the establishment of authenticated key agreement between two devices over a wireless channel. Such are ad hoc in nature as they lack any common preshared secrets or trusted authority. Fortunately, these can be connected via auxiliary physical (audio, visual, tactile) channels which by human users. They can, therefore, used to form basis pairing operation. Recently proposed protocols and methods based upon bidirectional channels. However, various scenarios asymmetric nature,...

The recent dramatic increase in the popularity of "smartphones" has led to increased interest smartphone security research. From perspective a researcher noteworthy attributes modern are ability install new applications, possibility access Internet and presence private or sensitive information such as messages location. These also present large class more traditional "feature phones." Mobile platform architectures these types devices have seen much larger scale deployment compared designed...

Mobile application phishing happens when a malicious mobile masquerades as legitimate one to steal user credentials. Personalized security indicators may help users detect attacks, but rely on the user's alertness. Previous studies in context of website have shown that tend ignore personalized and fall victim attacks despite their deployment. Consequently, research community has deemed an ineffective detection mechanism. We revisit question indicator effectiveness evaluate them previously...

Application phishing attacks are rooted in users inability to distinguish legitimate applications from malicious ones. Previous work has shown that personalized security indicators can help detecting application mobile platforms. A indicator is a visual secret, shared between the user and security-sensitive (e.g., banking). The sets up when started for first time. Later on, displays authenticate itself user. Despite their potential, no previous addressed problem of how securely setup --...