This page records the topics of the meetings the HWU Cyber Security Research organised in the 2018-2023 period.
Return to cyber security main page.
Wednesday May 17 Joint CS / Cybersec / LAIV / DSG seminar
Speaker
Muhammad Usama Sardar (Technische Universität Dresden, Germany), visiting during the whole week.
Title
Confidential Computing: The Role of Attestation
Abstract
Attestation is one of the most critical mechanisms in confidential computing (CC). This talk presents a novel approach based on the combination of Trusted Execution Environment (TEE)-agnostic attestation architecture and formal analysis enabling comprehensive and rigorous security analysis of attestation mechanisms in CC. We demonstrate the application of our approach for three prominent industrial representatives, namely Arm Confidential Compute Architecture (CCA) in architecture lead solutions, Intel Trust Domain Extensions (TDX) in vendor solutions, and Secure CONtainer Environment (SCONE) in frameworks. For each of these solutions, we provide a comprehensive specification of all phases of the attestation mechanism in confidential computing, namely provisioning, initialization, and attestation protocol. Our approach reveals design and security issues in Intel TDX and SCONE attestation.
Bio
Muhammad Usama Sardar is a Research Associate at TU Dresden working for the Transregional Collaborative Research Centre 248 “Foundations of Perspicuous Software Systems” (CPEC) since October 2021. His current research focuses on the formal specification and verification of architecturally-defined remote attestation for confidential computing, specifically Intel SGX, TDX and Arm CCA. He leads the recently accepted formal specification project in CCC Attestation SIG, and contributes to various research networks, such as EuroProofNet (WG3), Open Compute Project (OCP), and Méthodes formelles pour la sécurité. He is also a tutor for the master’s courses: Systems Engineering, Principles of Dependable Systems, and Software Fault Tolerance.
Tuesday August 31 (joint with Dubai) online (from 11am UK time, 2pm UAE time)
Topic: Seminar by Rosario Giustolisi, Associate Professor, Dept. Computer Science, IT University of Copenhagen, Denmark
Title: Fixing Vulnerabilities Automatically with Linters
Abstract:
Static analysis is a tried-and-tested approach to eliminate vulnerabilities in software. However, despite decades of successful use by experts, mainstream programmers often deem static analysis too costly to use. Mainstream programmers do routinely use linters, which are static analysis tools geared towards identifying simple bugs and stylistic issues in software. Can linters serve as a medium for delivering vulnerability detection to mainstream programmers? We investigate the extent of which linters can be leveraged to help programmers write secure software. We present new rules for ESLint that detect -- and automatically fix -- certain classes of cross-site scripting, SQL injection, and misconfiguration vulnerabilities in JavaScript. Evaluating our experience, we find that there is enormous potential in using linters to eliminate vulnerabilities in software, due to the relative ease with which linter rules can be implemented and shared with the community. We identify several open challenges, including third-party library dependencies and linter configuration, and propose ways to address them.
Tuesday August 24 (joint with Dubai) online (from 11am UK time, 2pm UAE time)
Topic: Lightning MSc talk on your Security-related Dissertations by Peter Kirwan
Title: Anti-Phishing Training, Gamification and Memory
Tuesday July 6 (joint with Dubai) online (from 11am UK time, 2pm UAE time)
Topic: Group reading/watching ICSE 2021 paper: https://conf.researchr.org/details/icse-2021/icse-2021-papers/124/-Do-this-Do-that-And-nothing-will-happen-Do-specifications-lead-to-securely-store
Tuesday June 21 (joint with Dubai) online (from 11am UK time, 2pm UAE time)
Topic: Filip Bartoszewski will give a talk on his PhD work. Title: Anomaly Detection for Insider Threats: An Objective Comparison of Machine Learning Models and Ensembles
Tuesday June 15 (joint with Dubai) online (from 2pm UK time, 5pm UAE time)
Topics:
Léon McGregor will give a talk on his PhD work. Title: An experiment Investigating Developers and Message Prioritisation
Tin Tironsakkul will give a talk on his PhD work. Title: Context Matters: Methods for Bitcoin Tracking
Friday June 11 online (from 11am UK time)
Topic: Kahraman Kostas will give a talk on his PhD work. Title: Behaviour Based Security with Machine Learning In IoT Networks
Wednesday December 16 (joint with Dubai) online (from 11am UK time, 3pm UAE time)
Topic: Group reading on two topics from USENIX 2020 papers
Detecting Stuffing of a User’s Credentials at Her Own Accounts. Ke Coby Wang and Michael K. Reiter, University of North Carolina at Chapel Hill
An Observational Investigation of Reverse Engineers’ Processes. Daniel Votipka and Seth Rabin, University of Maryland; Kristopher Micinski, Syracuse University; Jeffrey S. Foster, Tufts University; Michelle L. Mazurek, University of Maryland
More details at: https://www.usenix.org/conference/usenixsecurity20/technical-sessions
Thursday December 10 online (from 9pm UK time)
End of year social get-together!
Tuesday December 1 (joint with Dubai) online on Teams (from 11am UK time, 3pm UAE time)
Topic: Activities update & Discussion
Tuesday November 24 (joint with Dubai) online on Teams (from 11am UK time, 3pm UAE time)
Topic: Activities update & Discussion
Tuesday November 17 (joint with Dubai) online (from 10am UK time, 2pm UAE time)
Topic: Seminar by Giampaolo Bella (University of Catania, Italy)
Title: Out to explore the cybersecurity planet
Abstract:
Purpose – Security ceremonies still fail despite decades of efforts by researchers and practitioners. Attacks are often a cunning amalgam of exploits for technical systems and of forms of human behaviour. For example, this is the case with the recent news headline of a large-scale attack against Electrum Bitcoin wallets, which manages to spread a malicious update of the wallet app. The author therefore sets out to look at things through a different lens.
Design/methodology/approach – The author makes the (metaphorical) hypothesis that humans arrived on Earth along with security ceremonies from a very far planet, the Cybersecurity planet. The author’s hypothesis continues, in that studying (by huge telescopes) the surface of Cybersecurity in combination with the logical projection on that surface of what happens on Earth is beneficial for us earthlings.
Findings – The author has spotted four cities so far on the remote planet. Democratic City features security ceremonies that allow humans to follow personal paths of practice and, for example, make errors or be driven by emotions. By contrast, security ceremonies in Dictatorial City compel to comply, hence humans here behave like programmed automata. Security ceremonies in Beautiful City are so beautiful that humans just love to follow them precisely. Invisible City has security ceremonies that are not perceivable, hence humans feel like they never encounter any. Incidentally, the words “democratic” and “dictatorial” are used without any political connotation.
Originality/value – A key argument the author shall develop is that all cities but Democratic City address the human factor, albeit in different ways. In the light of these findings, the author will also discuss security ceremonies of our planet, such as WhatsApp Web login and flight boarding, and explore room for improving them based upon the current understanding of Cybersecurity.
Paper: Bella, G. (2020), "Out to explore the cybersecurity planet", Journal of Intellectual Capital, Vol. 21 No. 2, pp. 291-307.
Tuesday November 10
No meeting
Tuesday November 3 (joint with Dubai) online (from 11am UK time, 3pm UAE time)
Topic: Seminar by Siamak F. Shahandashti (University of York)
Title: Revisiting Security Vulnerabilities in Commercial Password Managers
Abstract:
In this work we analyse five popular commercial password managers for security vulnerabilities. Our analysis is twofold. First, we compile a list of previously disclosed vulnerabilities through a comprehensive review of the academic and non-academic sources and test each password manager against all the previously disclosed vulnerabilities. We find a mixed picture of fixed and persisting vulnerabilities. Then we carry out systematic functionality tests on the considered password managers and find four new vulnerabilities. Notably, one of the new vulnerabilities we identified allows a malicious app to impersonate a legitimate app to two out of five widely-used password managers we tested and as a result steal the user's password for the targeted service. We implement a proof-of-concept attack to show the feasibility of this vulnerability in a real-life scenario. Finally, we report and reflect on our experience of responsible disclosure of the newly discovered vulnerabilities to the corresponding password manager vendors.
Paper: Michael Carr and Siamak F. Shahandashti. "Revisiting Security Vulnerabilities in Commercial Password Managers". IFIP SEC 2020.
Tuesday October 27 (joint with Dubai) online on Teams (from 11am UK time, 3pm UAE time)
Topic: Activities update & Discussion
Tuesday October 20 (joint with Dubai) online (from 11am UK time, 2pm UAE time)
Topic: Kirsty Macmillan will give a rehearsal NordCHI 2020 talk. Title: Are autistic children more vulnerable online? Relating autism to online safety, child wellbeing and parental risk management
Tuesday October 13 (joint with Dubai) online on Teams (from 11am UK time, 2pm UAE time)
Topic: Activities update & Discussion
Tuesday September 29 (joint with Dubai) online on Teams (from 11am UK time, 2pm UAE time)
Topic: Activities update & Discussion
Tuesday September 1 (joint with Dubai) online (from 11am UK time, 2pm UAE time)
Topic: Tin Tironsakkul will give a rehearsal CBT 2020 talk. Title: Tracking Mixed Bitcoins
Tuesday August 25 (joint with Dubai) online (from 11am UK time, 2pm UAE time)
Topic: We have two short presentations this week.
Aidah Ichario will give a rehearsal EuroUSEC 2020 talk. Title: Investigating Web API Developer Experience in Relation to Terms of Service and Privacy Policies
Léon McGregor will give a rehearsal UKICER 2020 talk. Title: Software Testing as Medium for Peer Feedback
Tuesday August 11 (joint with Dubai) online on Teams (from 11am UK time, 2pm UAE time)
Topic: Kickoff for 2020-21
Tuesday June 30 (joint with Dubai) online on Teams (from 11:15am UK time, 2:15pm UAE time)
Topic: Planning for 2020-21
Tuesday June 23
No meeting
Tuesday June 16 (joint with Dubai) online on Collaborate (from 11:15am UK time, 2:15pm UAE time)
Topic: Rabia Saleh will give a talk on her PhD work. Title: SDN-based MANET using existing OpenFlow protocol
Monday June 8 (joint with Dubai) online on Collaborate (from 1pm UK time, 4pm UAE time)
Topic: Kahraman Koştaş will give a talk on his PhD work. Title: Behaviour-Based Device Detection via Machine Learning in IoT Networks
Tuesday June 2 (joint with Dubai) online on Collaborate (from 11:00am to 12:30noon UK time, 2:00pm to 3:30pm UAE time)
Topics: We have two presentations this week.
Cameron Caldwell will give a talk on his Honours work. Title: Steganography Over Audio
Filip Bartoszewski will give a talk on his PhD work. Title: Majority rules: using ensembles for insider threat detection
Tuesday May 26
No meeting
Wednesday May 20 (joint with Dubai) online on Collaborate (at 10:00am UK time, 1:00pm UAE time)
Topic: Léon McGregor will give a talk on his PhD work. Title: Surveying Usable Security in APIs
Tuesday May 12
No meeting
Tuesday May 5 (joint with Dubai) online on Teams or Collaborate (at 11:30am UK time, 2:30pm UAE time)
Topic: Biju Hameed will give a talk on his MSc project. Title: Cybersecurity in Operational Technology (OT) environments
Tuesday April 28 (joint with Dubai) online on Teams or Collaborate
Topic: Tin Tironsakkul will give a talk on his PhD work. Title: Cryptocurrency Transaction Tracking
Tuesday April 21
No meeting
Tuesday April 14
No meeting (extended Easter Weekend)
Tuesday April 7 (joint with Dubai) online on Teams or Collaborate
Topic: Sam Grossick will give a talk on his Computer Systems Honours project. Title: Impact of Increased Security Measures on User Trust in Online Transactions
Tuesday March 31 (joint with Dubai) online on Teams
Topic: Planning of further online meetings and activities.
Tuesday January 14 (13:15 in EM 1.58)
Topic: Katie Watson will give a talk on her PhD work. Title: Efficacy of comic permission requests
Tuesday November 19 (12:15 in EM 1.58)
Topic: IT Master Class - A comprehensive introduction to GDPR for internet entrepreneurs by Yann Jaffrennou
Tuesday November 12
No meeting.
Tuesday October 29
No meeting.
Tuesday October 22
No meeting.
Tuesday October 15
No meeting.
Tuesday October 8 (11:30 in CM F.17)
Topic: Short planning meeting.
Tuesday October 1 (11:15 in CM F.17)
Topic: Kirsty Macmillan will give the talk on her PhD research she gave last week at a conference. Title: What are the online safety risks for autistic children? A mixed methods study.
Monday September 23
No meeting
Tuesday September 17
No meeting
Tuesday September 10 (14:15 in EM 1.58)
Topic: rehearsal talk by Abdullah Altawairqi
Tuesday September 3
No meeting
Tuesday August 27
No meeting
Wednesday August 21 (10:15 in CM F.17)
Topic: Discussion in preparation for the new academic year.
Wednesday July 3 in EM 1.82 from 12:00am
Topic: Joint LAIV and Cyber Security PhD Seminar
12:00 Amani Benhalem, Artificial Neural Network - Guided Particle Swarm Optimisation
12:30 Alasdair Hill, Formal Verification of AI Planning Languages
13:00 Abdullah Altawairqi, Exploring the Modeling of Attack Strategies for STPA
Monday June 3 in EM 1.82 from 10:30am
Topic: Cyber Security PhD Seminar
10:30am: Katie Watson, Novel, graphical ways of increasing smartphone privacy awareness
11:00am: Léon McGregor, How Could Serious Games Support Secure Programming? Designing a Study Replication and Intervention (EuroUSEC 2019 rehearsal talk)
11:30am: Tin Tironsakkul, Probing the mystery of cryptocurrency theft: An investigation into methods for cryptocurrency tainting analysis (Cryptocurrency Research Conference 2019 rehearsal talk)
Tuesday May 28 (joint with Dubai at 15:30) (in Edinburgh this meeting will be in CM F.17 at 12:30)
Topic: Continuing our Group reading lead by Hani Ragab Hassen on Attribute-Based Access Control.
Servos, D., Osborn, S.L., 2017. Current Research and Open Problems in Attribute-Based Access Control. ACM Comput Surv 49, 65:1–65:45. https://doi.org/10.1145/3007204
Tuesday May 21
No meeting as the Workshop on Serious Games for Cyber Security is taking place on Tuesday 21 and Wednesday 22.
Tuesday May 14
Topic: Updates and preparation for Workshop on Serious Games for Cyber Security.
Tuesday May 7 (11:30 in CM F.17)
Topic: Updates and upcoming Workshop on Serious Games for Cyber Security.
Tuesday April 30
No meeting.
Tuesday April 23
No meeting.
Tuesday April 16
Topic: Joint CS seminar at 14:30 in EM 1.70 by Charles Weir (Lancaster University).
Title: Riding the Wave: Using the New Interest in Software Security to Engage and Learn with Industry
Abstract:
GDPR, Facebook, T-Mobile, Heartbleed, WannaCry, E-Payment Fraud, £650 million bank robbery: public and business appreciation of the dangers of ‘cyber’ security and privacy issues have increased massively in the last few years. Changes in technology have made perimeter security insufficient; developers and product management must now be involved, requiring skills and knowledge not traditionally taught to cyber security experts. This creates opportunities for research organisations to contribute significantly to solutions; and a large demand from industry for anything that can help. But how can we as researchers ride this wave of demand?
Charles’ talk will provide a basis to consider this question. He’ll introduce the Magid project at Lancaster University: the building and testing of an intervention package to help development teams improve security. He’ll discuss three powerful research techniques not usual in software research; how they recruited a dozen different industry teams to trial the techniques; and some of the results they found.
Bio: Charles Weir is a Researcher at Security Lancaster, within Lancaster University, UK. He is passionate about improving the security skills of teams of professional software developers, and has contributed to a dozen peer-reviewed publications in the three years since he started academic research. Previously he set up the mobile application development company, Penrillian, and ran it successfully for 15 years, employing up to thirty people and with a total turnover well over £20M. Charles also helped introduce object-oriented and agile methods to the UK, and was technical lead for the world’s first smartphone.
Tuesday April 9 (joint with Dubai) (in Edinburgh this meeting will be in CM F.17)
Topic: Group reading lead by Hani Ragab Hassen on Attribute-Based Access Control.
Servos, D., Osborn, S.L., 2017. Current Research and Open Problems in Attribute-Based Access Control. ACM Comput Surv 49, 65:1–65:45. https://doi.org/10.1145/3007204
Tuesday April 2
Topic: Joint CS seminar in EM 1.70 by Sasa Radomirovic (University of Dundee).
Title: A Formal Analysis of 5G Authentication
Abstract:
Mobile communication networks connect much of the world's population. The security of users' calls, text messages, and mobile data depends on the guarantees provided by the Authenticated Key Exchange protocols used. For the next-generation network (5G), the 3GPP group has standardized the 5G AKA protocol for this purpose.
In this talk, I will show how the application of formal methods has helped us discover and repair authentication flaws in the 5G standard. In particular, I will give an introduction to our security protocol modeling language and the automated protocol verification tool Tamarin. No specialist knowledge will be assumed.
Joint work with David Basin, Jannik Dreier, Lucca Hirschi, Ralf Sasse, and Vincent Stettler.
Bio: Dr. Sasa Radomirovic is a senior lecturer at the University of Dundee after previously having been a senior scientist at ETH Zurich in Switzerland. Radomirovic received a PhD in number theory from Rutgers University, USA and moved on to cryptographic protocols and formal methods for information security at NTNU Norway and the University of Luxembourg. Over the last ten years his research has focused on modeling and verification of security and privacy critical systems.
Tuesday March 26
No meeting.
Tuesday March 19
No meeting.
Tuesday March 12
Topic: PhD doctoral consortium.
Tuesday March 5
No meeting.
Tuesday February 26 (joint with Dubai) (in Edinburgh this meeting will be in CM F.17)
Topic: Syeda Rubbani will be discussing her work on the security of IoT communications.
Tuesday February 19
No meeting.
Tuesday February 12
Topic: Group reading lead by Kirsty Macmillan on cyber security, social engineering and autism.
Neupane, A., Satvat, K., Saxena, N., Stavrinos, D., and Bishop, H. J. Do Social Disorders Facilitate Social Engineering?: A Case Study of Autism and Phishing Attacks. Annual Computer Security Applications Conference ACSAC 2018. http://doi.acm.org/10.1145/3274694.3274730
Tuesday February 5
Topic: Tin to talk about aspects of his PhD research.
And as Kirsty pointed, Feb that January 5 is Safer Internet Day!
Tuesday January 29
Topic: Filip Bartoszewski to give a practice talk on his PhD research.
Tuesday January 22
Meeting cancelled.
Tuesday January 15
No meeting.
Tuesday January 8
Topic: first meet-up of the new year.
Tuesday December 18
Topic: Wrapping up the year, this will be our last meeting before the break
No meeting on Tuesday December 11
No meeting on Tuesday December 4
Tuesday November 27
Topic: Manuel Maarek to give a GALA 2018 practice talk of titled: Co-created design of a serious game investigation into developer-centred security (joint work with Sandy Louchart, Léon McGregor, and Ross McMenemy)
Tuesday November 20
Topic: Joint CS seminar in EM 1.70 by François Pessaux (ENSTA ParisTech), visiting during the whole week.
Title
FoCaLiZe - An (easy?) language with computational and logical aspects
Abstract
The question of formally proving that programs comply with properties describing their specification is a notoriously complex and polymorphic problem. Several development environments attempt to bring answers.
In this talk, we will present one of them, FoCaLiZe, allowing, inside a same programming language, to deal with algorithms, properties and proofs, while trying to keep simple enough and close to usual programming languages. The presentation will address the features of the language and shortly its compilation.
FoCaLiZe generates OCaml, Coq and Dedukti codes to obtain both an executable (or a library) and a complete formal model of the program, its properties and their proofs. This model is sent to a formal checker to double-check the validity of the development. FoCaLiZe applies a common compilation trunk and code generation model to ensure a good traceability between the produced codes.
Bio
François Pessaux has been Professor Associate at ENSTA ParisTech for 7 years. He did his PhD thesis in the Cristal project at INRIA from 1997 to 1999 on the analysis of uncaught exception in OCaml. He then spent one and half year in a post-doctoral position at Lucent / Hoboken University in the USA, before coming back in France where he led 6 year ago the R&D department at SURLOG, company specialized in safety analyses. He came back in the academic world on a 2 years contract at LIP6 where he developed FoCaLiZe on the basis of Focal. He then worked one year in KALRAY to develop, among other things, a prototype of scheduler for a massively parallel architecture and an Eclipse plugin for the programming language supporting this architecture. Finally, during one year he re-designed the typechecker of the OPA programming language at MLstate before joining the ENSTA ParisTech.
Tuesday November 13
Topic: Group reading lead by Tin Tironsakkul on cryptocurrency transaction analysis.
Möser, M., Böhme, R. and Breuker, D. Towards Risk Scoring of Bitcoin Transactions. Financial Cryptography and Data Security 2014. https://doi.org/10.1007/978-3-662-44774-1_2
No meeting on Tuesday November 6
No meeting on Tuesday October 30
Tuesday October 23 (joint with Dubai) (in Edinburgh this meeting will be in CM F.17)
Topic: Manuel Maarek to give a PLATEAU 2018 practice talk of titled: Observing the uptake of a language change making strings immutable
Tuesday October 16 (joint with Dubai) (in Edinburgh this meeting will be in CM F.17)
Topic: Group reading lead by Kayvan Karim on Generative adversarial networks GANs.
Rigaki, M., Garcia, S. Bringing a GAN to a Knife-fight: Adapting Malware Communication to Avoid Detection. 2018 IEEE Symposium on Security and Privacy Workshops https://doi.org/10.1109/SPW.2018.00019
Tuesday October 9
Topic: Mashael Alasmari will present for feedback her questionnaire on Facebook usage and behaviour.
Tuesday October 2
Topic: Group reading lead by Abdallah Altawairqi on attack model.
Schmittner, C., Gruber, T., Puschner, P., Schoitsch, E. Security Application of Failure Mode and Effect Analysis (FMEA). SAFECOMP 2014. https://doi.org/10.1007/978-3-319-10506-2_21
Tuesday September 25
No specific topic.
Tuesday September 18 (joint with Dubai)
Topic: First Edinburgh-Dubai joint meeting.
Tuesday September 11
Topic: Presentation of the setting and questionnaire for a python programming game experiment (Léon McGregor, Manuel Maarek)
Tuesday September 3
No specific topic.
Tuesday August 21
Introduction of the meetings, discussion of their format.
Topic: Pilot and feedback on questionnaire investigating the use of online platforms by children with autism (Kirsty Macmillan)