Formal Analysis of V2X Revocation Protocols

Research on vehicular networking (V2X) security has produced a range of security mechanisms and protocols tailored for this domain, addressing both security and privacy. Typically, the security analysis of these proposals has largely been informal. However, formal analysis can be used to expose flaws and ultimately provide a higher level of assurance in the protocols. This paper focusses on the formal analysis of a particular element of security mechanisms for V2X found in many proposals: the revocation of malicious or misbehaving vehicles from the V2X system by invalidating their credentials. This revocation needs to be performed in an unlinkable way for vehicle privacy even in the context of vehicles regularly changing their pseudonyms. The REWIRE scheme by Forster et al. and its subschemes BASIC and RTOKEN aim to solve this challenge by means of cryptographic solutions and trusted hardware. Formal analysis using the TAMARIN prover identifies two flaws with some of the functional correctness and authentication properties in these schemes. We then propose Obscure Token (OTOKEN), an extension of REWIRE to enable revocation in a privacy preserving manner. Our approach addresses the functional and authentication properties by introducing an additional key-pair, which offers a stronger and verifiable guarantee of successful revocation of vehicles without resolving the long-term identity. Moreover OTOKEN is the first V2X revocation protocol to be co-designed with a formal model.Comment: 16 pages, 4 figure

Symbolic Abstractions for Quantum Protocol Verification

Quantum protocols such as the BB84 Quantum Key Distribution protocol exchange qubits to achieve information-theoretic security guarantees. Many variants thereof were proposed, some of them being already deployed. Existing security proofs in that field are mostly tedious, error-prone pen-and-paper proofs of the core protocol only that rarely account for other crucial components such as authentication. This calls for formal and automated verification techniques that exhaustively explore all possible intruder behaviors and that scale well. The symbolic approach offers rigorous, mathematical frameworks and automated tools to analyze security protocols. Based on well-designed abstractions, it has allowed for large-scale formal analyses of real-life protocols such as TLS 1.3 and mobile telephony protocols. Hence a natural question is: Can we use this successful line of work to analyze quantum protocols? This paper proposes a first positive answer and motivates further research on this unexplored path

Comparing the cost-effectiveness of methods for estimating population density for primates in the Amazon rainforest Peru

With increasingly extreme fluctuations in flood levels in the Amazon basin (Malhi et al. 2008, Marengo et al. 2012, Bodmer et al. 2014) the future of its' fauna is becoming more uncertain. It is essential therefore that effective monitoring is in place in order to detect drops in population before irreversible damage is done. In developing countries such as the ones situated in the Amazon basin funding for conservation is very limited (Danielsen et al. 2003), it is therefore vital that cost effective methods of monitoring the wildlife of the Amazon are found. Three surveying techniques for monitoring primates are compared in this thesis to find the most cost effective method of estimating population densities of primate species local to the Amazon basin; these are terrestrial transects, aquatic transects and audio-playback point counts. Data was collected in the Pacaya-Samiria National Reserve using these methods over a period of four months, from January to May 2014. For both terrestrial and aquatic transects, transect lines were traversed and data was recorded every time an individual or group of the 7 primates species were spotted. Audio-playback point counts were used to record data for red howler monkeys (Alouatta seniculus)and brown capuchin monkeys (Cebus apella). This was done by mimicking primate vocalisations at a point and recording any resultant responses or sightings of the species under observation. Each survey technique was compared with regards to three qualities; precision, ability to react to change and cost. On average over all 7 species of primate aquatic transects produced the most precise estimations of population density with a mean estimation CV% (percentage coefficient of variance) of 36.35% in comparison the 47.3% averaged by terrestrial transects. Both methods failed to produce precise results for the two rarest species present, the monk saki monkey (Pithecia monachus) and the white fronted capuchin monkey (Cebus albifrons). Aquatic transects were also shown to react to sudden change in population levels. For the two species Alouatta seniculus and Cebus apella aquatic transects once again on average gained the most precise results with a mean estimation CV% value of 20.05% in comparison to the 31.08% of terrestrial transects and 36.35% for audio-playback point counts. The estimates created using audio-playback point counts used considerably less time and resources than the other two methods for single species and was also shown to be the quickest to react to immediate changes in population densities. Thus it was concluded that audio-playback point counts can produce relatively precise estimates that react to population changes at low cost. However only one species can be observed at a time using audio-playback point counts; when observing multiple species at one time it was concluded that aquatic transects are by far the cheapest survey technique and the method that produces precise estimates more consistently. I would therefore recommend for a monitoring effort of several primate species at one given time in the Amazon basin, that aquatic transects be used as it is the most cost-effective overall. However if a single species is a monitoring target, perhaps to be used as an indicator species or because the primate is of most concern, then audio-playback point counts be used as it is possible to gain relatively precise results at a minimal cost. I would also like to suggest that the use of audio-playback point counts be tested on rarer primate species in future as neither terrestrial transects nor aquatic transects could produce a useful estimate in a combined effort of 104 half days. If audio-playback point counts could be used to get good estimates for rare primate species then monitoring strategies could be developed combining the use of audio- playback point counts and aquatic transects to gain precise density estimates for all primate species in an area whilst keeping costs low. A generic decision tree is presented at the end of this thesis as a guideline to cost-effective primate monitoring for any seasonally flooding rainforest study site

Building Babies - Chapter 16

In contrast to birds, male mammals rarely help to raise the offspring. Of all mammals, only among rodents, carnivores, and primates, males are sometimes intensively engaged in providing infant care (Kleiman and Malcolm 1981). Male caretaking of infants has long been recognized in nonhuman primates (Itani 1959). Given that infant care behavior can have a positive effect on the infant’s development, growth, well-being, or survival, why are male mammals not more frequently involved in “building babies”? We begin the chapter defining a few relevant terms and introducing the theory and hypotheses that have historically addressed the evolution of paternal care. We then review empirical findings on male care among primate taxa, before focusing, in the final section, on our own work on paternal care in South American owl monkeys (Aotus spp.). We conclude the chapter with some suggestions for future studies.Deutsche Forschungsgemeinschaft (HU 1746/2-1) Wenner-Gren Foundation, the L.S.B. Leakey Foundation, the National Geographic Society, the National Science Foundation (BCS-0621020), the University of Pennsylvania Research Foundation, the Zoological Society of San Dieg

High-level Cryptographic Abstractions

The interfaces exposed by commonly used cryptographic libraries are clumsy, complicated, and assume an understanding of cryptographic algorithms. The challenge is to design high-level abstractions that require minimum knowledge and effort to use while also allowing maximum control when needed. This paper proposes such high-level abstractions consisting of simple cryptographic primitives and full declarative configuration. These abstractions can be implemented on top of any cryptographic library in any language. We have implemented these abstractions in Python, and used them to write a wide variety of well-known security protocols, including Signal, Kerberos, and TLS. We show that programs using our abstractions are much smaller and easier to write than using low-level libraries, where size of security protocols implemented is reduced by about a third on average. We show our implementation incurs a small overhead, less than 5 microseconds for shared key operations and less than 341 microseconds (< 1%) for public key operations. We also show our abstractions are safe against main types of cryptographic misuse reported in the literature

ANCHOR: logically-centralized security for Software-Defined Networks

While the centralization of SDN brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional properties like 'security' or 'dependability'. Though addressing the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to efficiency and effectiveness problems. We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. As a general concept, we propose ANCHOR, a subsystem architecture that promotes the logical centralization of non-functional properties. To show the effectiveness of the concept, we focus on 'security' in this paper: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms, in a global and consistent manner. Essential security mechanisms provided by anchor include reliable entropy and resilient pseudo-random generators, and protocols for secure registration and association of SDN devices. We claim and justify in the paper that centralizing such mechanisms is key for their effectiveness, by allowing us to: define and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the non-functional property enforcement mechanisms; and promote the security and resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms, including the formalisation of the main protocols and the verification of their core security properties using the Tamarin prover.Comment: 42 pages, 4 figures, 3 tables, 5 algorithms, 139 reference

No sex-biased dispersal in a primate with an uncommon social system-cooperative polyandry.

An influential hypothesis proposed by Greenwood (1980) suggests that different mating systems result in female and male-biased dispersal, respectively, in birds and mammals. However, other aspects of social structure and behavior can also shape sex-biased dispersal. Although sex-specific patterns of kin cooperation are expected to affect the benefits of philopatry and dispersal patterns, empirical evidence is scarce. Unlike many mammals, Saguinus geoffroyi (Geoffroy's tamarin) has a breeding system in which typically multiple males mate with a single breeding female. Males typically form cooperative reproductive partnerships between relatives, whereas females generally compete for reproductive opportunities. This system of cooperative polyandry is predicted to result in female-biased dispersal, providing an opportunity to test the current hypotheses of sex-biased dispersal. Here we test for evidence of sex-biased dispersal in S. geoffroyi using demographic and genetic data from three populations. We find no sex bias in natal dispersal, contrary to the prediction based on the mating patterns. This pattern was consistent after controlling for the effects of historical population structure. Limited breeding opportunities within social groups likely drive both males and females to disperse, suggesting that dispersal is intimately related to the social context. The integration of genetic and field data revealed that tamarins are another exception to the presumed pattern of male-biased dispersal in mammals. A shift in focus from mating systems to social behavior, which plays a role in most all processes expected to influence sex-bias in dispersal, will be a fruitful target for research both within species and across taxa

Language discrimination by human newborns and by cotton-top tamarin monkeys

Humans, but no other animal, make meaningful use of spoken language. What is unclear, however, is whether this capacity depends on a unique constellation of perceptual and neurobiological mechanisms, or whether a subset of such mechanisms are shared with other organisms. To explore this problem, we conducted parallel experiments on human newborns and cotton-top tamarin monkeys to assess their ability to discriminate unfamiliar languages. Using a habituation-dishabituation procedure, we show that human newborns and tamarins can discriminate sentences from Dutch and Japanese, but not if the sentences are played backwards. Moreover, the cues for discrimination are not present in backward speech. This suggests that the human newborns' tuning to certain properties of speech relies on general processes of the primate auditory system