HWU Cyber Security Research Meetings

HWU Cyber Security Research meets regularly, this page records the topics of these meetings and sets agenda for future meetings.

The meeting takes place every Tuesday at 11am UK time online on Teams or Collaborate or, when not online, in EM 1.58 Edinburgh campus.

2023

Wednesday May 17 Joint CS / Cybersec / LAIV / DSG seminar

Speaker

Muhammad Usama Sardar (Technische Universität Dresden, Germany), visiting during the whole week.

Title

Confidential Computing: The Role of Attestation 

Abstract

Attestation is one of the most critical mechanisms in confidential computing (CC). This talk presents a novel approach based on the combination of Trusted Execution Environment (TEE)-agnostic attestation architecture and formal analysis enabling comprehensive and rigorous security analysis of attestation mechanisms in CC. We demonstrate the application of our approach for three prominent industrial representatives, namely Arm Confidential Compute Architecture (CCA) in architecture lead solutions, Intel Trust Domain Extensions (TDX) in vendor solutions, and Secure CONtainer Environment (SCONE) in frameworks. For each of these solutions, we provide a comprehensive specification of all phases of the attestation mechanism in confidential computing, namely provisioning, initialization, and attestation protocol. Our approach reveals design and security issues in Intel TDX and SCONE attestation.

Bio

Muhammad Usama Sardar is a Research Associate at TU Dresden working for the Transregional Collaborative Research Centre 248 “Foundations of Perspicuous Software Systems” (CPEC) since October 2021. His current research focuses on the formal specification and verification of architecturally-defined remote attestation for confidential computing, specifically Intel SGX, TDX and Arm CCA. He leads the recently accepted formal specification project in CCC Attestation SIG, and contributes to various research networks, such as EuroProofNet (WG3), Open Compute Project (OCP), and Méthodes formelles pour la sécurité. He is also a tutor for the master’s courses: Systems Engineering, Principles of Dependable Systems, and Software Fault Tolerance.

2021

Tuesday August 31 (joint with Dubai) online (from 11am UK time, 2pm UAE time)

Topic: Seminar by Rosario Giustolisi, Associate Professor, Dept. Computer Science, IT University of Copenhagen, Denmark

Title: Fixing Vulnerabilities Automatically with Linters

Abstract:

Static analysis is a tried-and-tested approach to eliminate vulnerabilities in software. However, despite decades of successful use by experts, mainstream programmers often deem static analysis too costly to use. Mainstream programmers do routinely use linters, which are static analysis tools geared towards identifying simple bugs and stylistic issues in software. Can linters serve as a medium for delivering vulnerability detection to mainstream programmers? We investigate the extent of which linters can be leveraged to help programmers write secure software. We present new rules for ESLint that detect -- and automatically fix -- certain classes of cross-site scripting, SQL injection, and misconfiguration vulnerabilities in JavaScript. Evaluating our experience, we find that there is enormous potential in using linters to eliminate vulnerabilities in software, due to the relative ease with which linter rules can be implemented and shared with the community. We identify several open challenges, including third-party library dependencies and linter configuration, and propose ways to address them.

Tuesday August 24 (joint with Dubai) online (from 11am UK time, 2pm UAE time)

Topic: Lightning MSc talk on your Security-related Dissertations by Peter Kirwan

Title: Anti-Phishing Training, Gamification and Memory

Tuesday July 6 (joint with Dubai) online (from 11am UK time, 2pm UAE time)

Topic: Group reading/watching ICSE 2021 paper: https://conf.researchr.org/details/icse-2021/icse-2021-papers/124/-Do-this-Do-that-And-nothing-will-happen-Do-specifications-lead-to-securely-store

Tuesday June 21 (joint with Dubai) online (from 11am UK time, 2pm UAE time)

Topic: Filip Bartoszewski will give a talk on his PhD work. Title: Anomaly Detection for Insider Threats: An Objective Comparison of Machine Learning Models and Ensembles

Tuesday June 15 (joint with Dubai) online (from 2pm UK time, 5pm UAE time)

Topics:

Friday June 11 online (from 11am UK time)

Topic: Kahraman Kostas will give a talk on his PhD work. Title: Behaviour Based Security with Machine Learning In IoT Networks

2020

Wednesday December 16 (joint with Dubai) online (from 11am UK time, 3pm UAE time)

Topic: Group reading on two topics from USENIX 2020 papers

More details at: https://www.usenix.org/conference/usenixsecurity20/technical-sessions

Thursday December 10 online (from 9pm UK time)

End of year social get-together!

Tuesday December 1 (joint with Dubai) online on Teams (from 11am UK time, 3pm UAE time)

Topic: Activities update & Discussion

Tuesday November 24 (joint with Dubai) online on Teams (from 11am UK time, 3pm UAE time)

Topic: Activities update & Discussion

Tuesday November 17 (joint with Dubai) online (from 10am UK time, 2pm UAE time)

Topic: Seminar by Giampaolo Bella (University of Catania, Italy)

Title: Out to explore the cybersecurity planet

Abstract: 

Purpose – Security ceremonies still fail despite decades of efforts by researchers and practitioners. Attacks are often a cunning amalgam of exploits for technical systems and of forms of human behaviour. For example, this is the case with the recent news headline of a large-scale attack against Electrum Bitcoin wallets, which manages to spread a malicious update of the wallet app. The author therefore sets out to look at things through a different lens.

Design/methodology/approach – The author makes the (metaphorical) hypothesis that humans arrived on Earth along with security ceremonies from a very far planet, the Cybersecurity planet. The author’s hypothesis continues, in that studying (by huge telescopes) the surface of Cybersecurity in combination with the logical projection on that surface of what happens on Earth is beneficial for us earthlings.

Findings – The author has spotted four cities so far on the remote planet. Democratic City features security ceremonies that allow humans to follow personal paths of practice and, for example, make errors or be driven by emotions. By contrast, security ceremonies in Dictatorial City compel to comply, hence humans here behave like programmed automata. Security ceremonies in Beautiful City are so beautiful that humans just love to follow them precisely. Invisible City has security ceremonies that are not perceivable, hence humans feel like they never encounter any. Incidentally, the words “democratic” and “dictatorial” are used without any political connotation.

Originality/value – A key argument the author shall develop is that all cities but Democratic City address the human factor, albeit in different ways. In the light of these findings, the author will also discuss security ceremonies of our planet, such as WhatsApp Web login and flight boarding, and explore room for improving them based upon the current understanding of Cybersecurity.

Paper: Bella, G. (2020), "Out to explore the cybersecurity planet", Journal of Intellectual Capital, Vol. 21 No. 2, pp. 291-307. 

Tuesday November 10

No meeting

Tuesday November 3 (joint with Dubai) online (from 11am UK time, 3pm UAE time)

Topic: Seminar by Siamak F. Shahandashti (University of York)

Title: Revisiting Security Vulnerabilities in Commercial Password Managers

Abstract:

In this work we analyse five popular commercial password managers for security vulnerabilities. Our analysis is twofold. First, we compile a list of previously disclosed vulnerabilities through a comprehensive review of the academic and non-academic sources and test each password manager against all the previously disclosed vulnerabilities. We find a mixed picture of fixed and persisting vulnerabilities. Then we carry out systematic functionality tests on the considered password managers and find four new vulnerabilities. Notably, one of the new vulnerabilities we identified allows a malicious app to impersonate a legitimate app to two out of five widely-used password managers we tested and as a result steal the user's password for the targeted service. We implement a proof-of-concept attack to show the feasibility of this vulnerability in a real-life scenario. Finally, we report and reflect on our experience of responsible disclosure of the newly discovered vulnerabilities to the corresponding password manager vendors.

Paper: Michael Carr and Siamak F. Shahandashti. "Revisiting Security Vulnerabilities in Commercial Password Managers". IFIP SEC 2020. 

Tuesday October 27 (joint with Dubai) online on Teams (from 11am UK time, 3pm UAE time)

Topic: Activities update & Discussion

Tuesday October 20 (joint with Dubai) online (from 11am UK time, 2pm UAE time)

Topic: Kirsty Macmillan will give a rehearsal NordCHI 2020 talk. Title: Are autistic children more vulnerable online? Relating autism to online safety, child wellbeing and parental risk management

Tuesday October 13 (joint with Dubai) online on Teams (from 11am UK time, 2pm UAE time)

Topic: Activities update & Discussion

Tuesday September 29 (joint with Dubai) online on Teams (from 11am UK time, 2pm UAE time)

Topic: Activities update & Discussion

Tuesday September 1 (joint with Dubai) online (from 11am UK time, 2pm UAE time)

Topic: Tin Tironsakkul will give a rehearsal CBT 2020 talk. Title: Tracking Mixed Bitcoins

Tuesday August 25 (joint with Dubai) online (from 11am UK time, 2pm UAE time)

Topic: We have two short presentations this week.

Tuesday August 11 (joint with Dubai) online on Teams (from 11am UK time, 2pm UAE time)

Topic: Kickoff for 2020-21

Tuesday June 30 (joint with Dubai) online on Teams (from 11:15am UK time, 2:15pm UAE time)

Topic: Planning for 2020-21

Tuesday June 23

No meeting

Tuesday June 16 (joint with Dubai) online on Collaborate (from 11:15am UK time, 2:15pm UAE time)

Topic: Rabia Saleh will give a talk on her PhD work. Title: SDN-based MANET using existing OpenFlow protocol

Monday June 8 (joint with Dubai) online on Collaborate (from 1pm UK time, 4pm UAE time)

Topic: Kahraman Koştaş will give a talk on his PhD work. Title: Behaviour-Based Device Detection via Machine Learning in IoT Networks

Tuesday June 2 (joint with Dubai) online on Collaborate (from 11:00am to 12:30noon UK time, 2:00pm to 3:30pm UAE time)

Topics: We have two presentations this week.

Tuesday May 26

No meeting

Wednesday May 20 (joint with Dubai) online on Collaborate (at 10:00am UK time, 1:00pm UAE time)

Topic: Léon McGregor will give a talk on his PhD work. Title: Surveying Usable Security in APIs

Tuesday May 12

No meeting

Tuesday May 5 (joint with Dubai) online on Teams or Collaborate (at 11:30am UK time, 2:30pm UAE time)

Topic: Biju Hameed will give a talk on his MSc project. Title: Cybersecurity in Operational Technology (OT) environments

Tuesday April 28 (joint with Dubai) online on Teams or Collaborate

Topic: Tin Tironsakkul will give a talk on his PhD work. Title: Cryptocurrency Transaction Tracking

Tuesday April 21

No meeting

Tuesday April 14

No meeting (extended Easter Weekend)

Tuesday April 7 (joint with Dubai) online on Teams or Collaborate

Topic: Sam Grossick will give a talk on his Computer Systems Honours project. Title: Impact of Increased Security Measures on User Trust in Online Transactions

Tuesday March 31 (joint with Dubai) online on Teams

Topic: Planning of further online meetings and activities.

Tuesday January 14 (13:15 in EM 1.58)

Topic: Katie Watson will give a talk on her PhD work. Title: Efficacy of comic permission requests

2019

Tuesday November 19 (12:15 in EM 1.58)

Topic: IT Master Class - A comprehensive introduction to GDPR for internet entrepreneurs by Yann Jaffrennou

Tuesday November 12

No meeting.

Tuesday October 29

No meeting.

Tuesday October 22

No meeting.

Tuesday October 15

No meeting.

Tuesday October 8 (11:30 in CM F.17)

Topic: Short planning meeting.

Tuesday October 1 (11:15 in CM F.17)

Topic: Kirsty Macmillan will give the talk on her PhD research she gave last week at a conference. Title: What are the online safety risks for autistic children? A mixed methods study.

Monday September 23

No meeting

Tuesday September 17

No meeting

Tuesday September 10 (14:15 in EM 1.58)

Topic: rehearsal talk by Abdullah Altawairqi

Tuesday September 3

No meeting

Tuesday August 27

No meeting

Wednesday August 21 (10:15 in CM F.17)

Topic: Discussion in preparation for the new academic year.

Wednesday July 3 in EM 1.82 from 12:00am

Topic: Joint LAIV and Cyber Security PhD Seminar

Monday June 3 in EM 1.82 from 10:30am

Topic: Cyber Security PhD Seminar

Tuesday May 28 (joint with Dubai at 15:30) (in Edinburgh this meeting will be in CM F.17 at 12:30)

Topic: Continuing our Group reading lead by Hani Ragab Hassen on Attribute-Based Access Control.

Tuesday May 21

No meeting as the Workshop on Serious Games for Cyber Security is taking place on Tuesday 21 and Wednesday 22.

Tuesday May 14 

Topic: Updates and preparation for Workshop on Serious Games for Cyber Security.

Tuesday May 7 (11:30 in CM F.17)

Topic: Updates and upcoming Workshop on Serious Games for Cyber Security.

Tuesday April 30

No meeting.

Tuesday April 23

No meeting.

Tuesday April 16

Topic: Joint CS seminar at 14:30 in EM 1.70 by Charles Weir (Lancaster University).

Title: Riding the Wave: Using the New Interest in Software Security to Engage and Learn with Industry

Abstract: 

GDPR, Facebook, T-Mobile, Heartbleed, WannaCry, E-Payment Fraud, £650 million bank robbery: public and business appreciation of the dangers of ‘cyber’ security and privacy issues have increased massively in the last few years. Changes in technology have made perimeter security insufficient; developers and product management must now be involved, requiring skills and knowledge not traditionally taught to cyber security experts. This creates opportunities for research organisations to contribute significantly to solutions; and a large demand from industry for anything that can help. But how can we as researchers ride this wave of demand?

Charles’ talk will provide a basis to consider this question. He’ll introduce the Magid project at Lancaster University: the building and testing of an intervention package to help development teams improve security. He’ll discuss three powerful research techniques not usual in software research; how they recruited a dozen different industry teams to trial the techniques; and some of the results they found.

Bio: Charles Weir is a Researcher at Security Lancaster, within Lancaster University, UK. He is passionate about improving the security skills of teams of professional software developers, and has contributed to a dozen peer-reviewed publications in the three years since he started academic research. Previously he set up the mobile application development company, Penrillian, and ran it successfully for 15 years, employing up to thirty people and with a total turnover well over £20M. Charles also helped introduce object-oriented and agile methods to the UK, and was technical lead for the world’s first smartphone. 

Tuesday April 9 (joint with Dubai) (in Edinburgh this meeting will be in CM F.17)

Topic: Group reading lead by Hani Ragab Hassen on Attribute-Based Access Control.

Tuesday April 2

Topic: Joint CS seminar in EM 1.70 by Sasa Radomirovic (University of Dundee).

Title: A Formal Analysis of 5G Authentication

Abstract:

Mobile communication networks connect much of the world's population. The security of users' calls, text messages, and mobile data depends on the guarantees provided by the Authenticated Key Exchange protocols used. For the next-generation network (5G), the 3GPP group has standardized the 5G AKA protocol for this purpose.

In this talk, I will show how the application of formal methods has helped us discover and repair authentication flaws in the 5G standard. In particular, I will give an introduction to our security protocol modeling language and the automated protocol verification tool Tamarin.  No specialist knowledge will be assumed.

Joint work with David Basin, Jannik Dreier, Lucca Hirschi, Ralf Sasse, and Vincent Stettler.

Bio: Dr. Sasa Radomirovic is a senior lecturer at the University of Dundee after previously having been a senior scientist at ETH Zurich in Switzerland. Radomirovic received a PhD in number theory from Rutgers University, USA and moved on to cryptographic protocols and formal methods for information security at NTNU Norway and the University of Luxembourg. Over the last ten years his research has focused on modeling and verification of security and privacy critical systems.

Tuesday March 26

No meeting.

Tuesday March 19

No meeting.

Tuesday March 12

Topic: PhD doctoral consortium.

Tuesday March 5

No meeting.

Tuesday February 26 (joint with Dubai) (in Edinburgh this meeting will be in CM F.17)

Topic: Syeda Rubbani will be discussing her work on the security of IoT communications.

Tuesday February 19

No meeting.

Tuesday February 12

Topic: Group reading lead by Kirsty Macmillan on cyber security, social engineering and autism.

Tuesday February 5

Topic: Tin to talk about aspects of his PhD research.

And as Kirsty pointed, Feb that January 5 is Safer Internet Day!

Tuesday January 29

Topic: Filip Bartoszewski to give a practice talk on his PhD research.

Tuesday January 22

Meeting cancelled.

Tuesday January 15

No meeting.

Tuesday January 8

Topic: first meet-up of the new year.

2018

Tuesday December 18

Topic: Wrapping up the year, this will be our last meeting before the break

No meeting on Tuesday December 11

No meeting on Tuesday December 4

Tuesday November 27

Topic: Manuel Maarek to give a GALA 2018 practice talk of titled: Co-created design of a serious game investigation into developer-centred security (joint work with Sandy Louchart, Léon McGregor, and Ross McMenemy)

Tuesday November 20

Topic: Joint CS seminar in EM 1.70 by François Pessaux (ENSTA ParisTech), visiting during the whole week.

Title

FoCaLiZe - An (easy?) language with computational and logical aspects

Abstract

The question of formally proving that programs comply with properties describing their specification is a notoriously complex and polymorphic problem. Several development environments attempt to bring answers.

In this talk, we will present one of them, FoCaLiZe, allowing, inside a same programming language, to deal with algorithms, properties and proofs, while trying to keep simple enough and close to usual programming languages. The presentation will address the features of the language and shortly its compilation.

FoCaLiZe generates OCaml, Coq and Dedukti codes to obtain both an executable (or a library) and a complete formal model of the program, its properties and their proofs. This model is sent to a formal checker to double-check the validity of the development. FoCaLiZe applies a common compilation trunk and code generation model to ensure a good traceability between the produced codes.

Bio

François Pessaux has been Professor Associate at ENSTA ParisTech for 7 years. He did his PhD thesis in the Cristal project at INRIA from 1997 to 1999 on the analysis of uncaught exception in OCaml. He then spent one and half year in a post-doctoral position at Lucent / Hoboken University in the USA, before coming back in France where he led 6 year ago the R&D department at SURLOG, company specialized in safety analyses. He came back in the academic world on a 2 years contract at LIP6 where he developed FoCaLiZe on the basis of Focal. He then worked one year in KALRAY to develop, among other things, a prototype of scheduler for a massively parallel architecture and an Eclipse plugin for the programming language supporting this architecture. Finally, during one year he re-designed the typechecker of the OPA programming language at MLstate before joining the ENSTA ParisTech.

Tuesday November 13

Topic: Group reading lead by Tin Tironsakkul on cryptocurrency transaction analysis.

No meeting on Tuesday November 6


No meeting on Tuesday October 30


Tuesday October 23 (joint with Dubai) (in Edinburgh this meeting will be in CM F.17)

Topic: Manuel Maarek to give a PLATEAU 2018 practice talk of titled: Observing the uptake of a language change making strings immutable

Tuesday October 16 (joint with Dubai) (in Edinburgh this meeting will be in CM F.17)

Topic: Group reading lead by Kayvan Karim on Generative adversarial networks GANs.

Tuesday October 9

Topic: Mashael Alasmari will present for feedback her questionnaire on Facebook usage and behaviour.

Tuesday October 2

Topic: Group reading lead by Abdallah Altawairqi on attack model.

Tuesday September 25

No specific topic.

Tuesday September 18 (joint with Dubai)

Topic: First Edinburgh-Dubai joint meeting.

Tuesday September 11

Topic: Presentation of the setting and questionnaire for a python programming game experiment (Léon McGregor, Manuel Maarek)

Tuesday September 3

No specific topic.

Tuesday August 21

Introduction of the meetings, discussion of their format.

Topic: Pilot and feedback on questionnaire investigating the use of online platforms by children with autism (Kirsty Macmillan)