- 2017-01-10: Survey topics published.
- 2017-01-19: Deadline for selecting top 3 survey topic preferences (https://goo.gl/forms/0dxg87uOmh9eE9VE3).
- 2017-01-26: Survey topics assigned.
- 2017-02-28: Deadline for mid-point survey draft.
- 2017-03-21 & 03-23 & 03-28 & 03-30: Final presentations.
- 2017-04-04: Final survey paper due.
What is expected in the survey paper
Your survey paper should be 4-6 pages, containing:
- a summary of the main ideas in the paper you are surveying (2 pages)
- your own synthesis about the topic (2-4 pages): You can structure this part as you see fit. If it helps, you can write your synthesis by attempting to answer questions like
- Is the paper correct and complete?
- Did you identify any flaws?
- Do you have some ideas on how to improve the solution(s) presented in the paper?
- How does this paper compare to other related work addressing the same or similar problems?
To write the synthesis, you are encouraged to read other related papers than the one that you were assigned. For example, you can find related papers by looking at the papers referred to by your assigned paper. You can also search resources like Google Scholar (http://scholar.google.com) with relevant search terms.
The goal of the mid-point draft is to monitor your progress and give you advice on your work, ensuring that you are progressing in the right direction. In the mid-point draft, you need to have at least:
- Summary of the main ideas in the paper you are surveying (should be as complete as possible)
- The structure of the rest of your survey paper (a title of each section, ...); as much of the synthesis as you can.
The more complete your draft is, the better the quality of feedback we can give you.
The survey paper can be written with any document preparation system or word processor of your choice (LaTeX, Word, ...); it must be submitted as a PDF file.
You will give an 8-minute presentation about the content of your survey paper. During your presentations, you will be warned at 6 minutes and you should stop by 8 minutes. It is recommended that the presentation slides should be no more than 5 slides. You should submit your final slides (via email to Mssemail@example.com ) by Monday 20.03 at 9 am. You are allowed to make minor changes to your slides before your presentation day. However, you should inform course staff beforehand regarding changes. We will arrange a laptop and a pointer for presentations. The laptop will contain your slides submitted before the day of your presentation.
The presentation slides should contain:
The problem description (1 slide)
Solution proposed in the assigned paper(s) (Recommended max. 2 slides)
Presentation of your synthesis on the topic (Recommended max. 1-2 slides)
Deadline: Slides must be submitted (via email to Mssfirstname.lastname@example.org) by Monday 20.03 at 9 am. If needed, a member of course staff will contact you to suggest changes.
Proposing Your Own Topic
You are welcome to propose your own topic. The proposed topic can be any system security topic, preferably covered in the course. You should write a description as we gave in our topic list, and send it to email@example.com ASAP and discuss it with them (well before 2017-01-17). If your topic is approved by the course staff, you can proceed with it.
List of topics
|1||1||The Protection of Information in Computer Systems, Saltzer & Schroder||Seminal paper introducing basic concepts in information security. Focus on Section I.A.3 "Design principles" on page 4|
Adrián Wragg Ruiz
The official mandatory access control architecture for Android.
Platform security mechanisms in alternative mobile OSs.
Additional reference: A First Look at Firefox OS Security, DeFreez et al.
|4||3||Old, new, borrowed, blue: a perspective on the evolution of mobile platform security architectures, Kostiainen et al.||A comparative survey of some early mobile platform security architectures.||Maimuna Syed|
|5||3||Security Metrics for the Android Ecosystem, Thomas et al.||This paper defines a security metric to rank mobile device manufacturers and network operators in terms of their provision of software updates and their devices' exposure to critical vulnerabilities. This metric is applied to a large set of real devices.||Syed Jalil|
|6||4||Hypervision Across Worlds: Real-time Kernel Protection from the ARM TrustZone Secure World, Azab et al.|
Real-time mobile OS kernel protection using ARM TrustZone features as implemented on Samsung Galaxy devices.
|7||4||HIMA: A Hypervisor-Based Integrity Measurement Agent, Azab et al.|
A design for both load-time and run-time integrity measurement and preservation architecture using hypervisor features.
|8||5||Expectation and Purpose: Understanding Users’ Menta l Models of Mobile App Privacy through Crowdsourcing, Lin et al.||A new model for privacy based on user experiences analyzed by using crowdsourcing||Samu Ahvenainen|
|9||5||AUDACIOUS: User-Driven Access Control with Unmodified Operating Systems|
The paper describes an approach of user-driven access control where permission is granted based on existing user actions in the context of application.
The recorded presentation of this paper at CCS 2016 is available on YouTube.
|10||5||When It’s Better to Ask Forgiveness than Get Permission: Attribution Mechanisms for Smartphone Resources, Thompson et al.||The paper introduces new design for attribution mechanisms to enhance user experiences.||Bhavya Omkarappa|
|11||5||Mobility helps security in ad hoc networks, Čapkun et al||A generic technique for establishing security association between nodes in ad-hoc networks.||Otto Mangs|
|12||5||CRePE: context-related policy enforcement for Android, Conti et al.||A system to define context-related policies on smartphones at fine-grained level.|
A context profiling framework configuring access control policies on mobile devices.
A demo of access control configuring based on context.
|14||5||Usability Analysis of Secure Pairing Methods, Uzun et al.||A comparative usability evaluation of selected methods to derive some insights into the usability and security.|
|15||5||Is this app safe?: a large scale study on application permissions and risk signals, Pern Hui Chia et al.||The paper presents analysis results on large-scale dataset of community rating used for granting app permissions.||Ivan Shabunin|
|16||5||Modeling Users’ Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings, Lin et al.|
Using static analysis and clustering techniques to identify a small number of privacy profiles to address the problem of mobile app permission granting.
|17||6||Quire : Lightweight Provenance for Smart Phone Operating Systems, Dietz et al.||The paper introduces Quire with two security mechanisms to address the issue in Android system which allows one app trigger another app.|
|18||6||Permission Re-Delegation: Attacks and Defenses, Felt at al.||The paper discusses the risk of permission re-delegation in smartphone OS and propose new OS mechanism for dedending again such vulnerabilities.||Prasant Sukumar|
|19||6||Towards Taming Privilege-Escalation Attacks on Android, Bugiel et al.||The paper addresses the designing and implementing a security framework to defend against application level privilege escalation attacks.|
The paper proposes TainART, a system for realtime tracking of multiple source of sensitive data in the Android Run Time environment (ART).
The paper builds on previous research such as TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, Enck et al.
|21||6||These Aren't the Droids You're Looking For: Retrofitting Android to Protect Data from Imperious Applications, Hornyack et al.||The paper presents how two privacy controls are implemented to empower users in running applications but still preserving data privacy.|
|22||6||Semantically rich application-centric security in Android, Ongtang et al.||The paper presents a modified infrastructure named "Saint" for install-time permission assignment and their run-time use. Focus on Saint policy section.|
|23||6||The company you keep: mobile malware infection rates and inexpensive risk indicators, Truong et al.||Mobile malware infection rates are estimated from large number of Android devices. The paper also introduced an indirect method based on a set of running apps to search for infected devices.|
|24||6||Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices, Becher et al.|
This paper provides comprehensive overview of different aspects of the topic of smartphone security. In particular, it surveys mechanisms that are intended to increase the overall security of smartphones.
|25||6||Systematic Detection of Capability Leaks in Stock Android Smartphones, Grace et al.|
This paper examines impact of firmware customization on the security and privacy aspects. Research results state that stock images provided by smartphone manufactures do not enforce the permission-based security model.
|26||6||ASM: A Programmable Interface for Extending Android Security, Heuser et al.||An extensible architecture for adding new reference monitors for Android.|
|27||6||Towards Continuous and Passive Authentication via Touch Biometrics: An Experimental Study on Smartphones, Xu et al.|
Techniques to transparently authenticate mobile users based on their interactions with their devices' touch screens.
|28||6||Using contextual co-presence to strengthen Zero-Interaction Authentication: Design, integration and usability, Truong et al.||A design and implementation of using audio, radio sensor data to improve security without sacrifying usability of zero interaction authentication.|
|29||6||This paper proposes a extensible framework for controlling access to sensor data on multi-application continuous sensing platforms.|
|30||6||Boxify: Full-fledged App Sandboxing for Stock Android, Backes et al. |
This paper presents Boxify, an application-layer mechanism for additional sandboxing of untrusted apps on Android, using app virtualization and process-based privilege separation. The proposed solution requires no modification of the apps or Android OS.
|31||6||Draco: A System for Uniform and Fine-grained Access Control for Web Code on Android||This paper presents Draco, a uniform and fine-grained access control framework for web code running on Android embedded browsers (viz., WebView). The proposed solution requires no modifications to the Android OS.|
|32||Extra||A Simple Generic Attack on Text Captchas, Gao et al.||This paper presents a simple, low-cost but powerful attack that effectively breaks a wide range of text Captchas with distinct design features using a machine learning technique.||Jouni Puputti|
|33||Extra||This paper proposes Bloom cookies that encode a user’s profile in a compact and privacy-preserving way, while still allowing online services to use it for personalization purposes.||Borger Vigmostad|
|34||Extra||Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks, Melicher et al.||This paper proposes using artificial neural networks to model text passwords’ resistance to guessing attacks and explore how different architectures and training methods impact neural networks’ guessing effectiveness.||Nikola Mandic|
|35||Extra||Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition, Sharif et al.||This paper investigates physically realizable and inconspicuous attacks on facial recognition systems, which allow an attacker to evade recognition or impersonate another individual.|