sec-certs: Examining the security certification practice for better vulnerability mitigation

Products certified under security certification frameworks such as Common Criteria undergo significant scrutiny during the costly certification process. Yet, critical vulnerabilities, including private key recovery (ROCA, Minerva, TPM-Fail...), get discovered in certified products with high assurance levels. Furthermore, assessing which certified products are impacted by such vulnerabilities is complicated due to the large amount of unstructured certification-related data and unclear relationships between the certificates. To address these problems, we conducted a large-scale automated analysis of Common Criteria and FIPS 140 certificates. We trained unsupervised models to learn which vulnerabilities from NIST's National Vulnerability Database impact existing certified products and how certified products reference each other. Our tooling automates the analysis of tens of thousands of certification-related documents, extracting machine-readable features where manual analysis is unattainable. Further, we identify the security requirements that are associated with products being affected by fewer and less severe vulnerabilities (on average). This indicates which aspects of certification correlate with higher security. We demonstrate how our tool can be used for better vulnerability mitigation on four case studies of known, high-profile vulnerabilities. All tools and continuously updated results are available at https://seccerts.org

Assessing the relationship between early maladaptive schemas and interpersonal problems using interpersonal scenarios depicting rejection

Background Early maladaptive schemas (EMSs) have been theorised to contribute to reoccurring interpersonal problems. This study developed a novel experimental paradigm that aimed to assess if EMSs moderate the impact of interpersonal situations on interpersonal responses by manipulating the degree of rejection in a series of interpersonal vignettes depicting acceptance, ambiguous rejection and rejection. Method In a sample of 158 first-year psychology students (27.2% male; 72.2% female; 0.6% other) participant responses to interpersonal scenarios were measured including degree of perceived rejection, emotional distress, conviction in varying cognitive appraisals consistent with attribution theory and behavioural responses to scenarios. Qualitative data was analysed using inductive content analysis and statistical analyses were conducted using multi-level mixed effect linear and logistic regression models using the software Jamovi. Results People reporting higher EMSs reported increased emotional distress (F(1, 156) = 24.85, p < .001), perceptions of rejection (F(1, 156) = 34.33, p < .001), self-blame (F(1, 156) = 53.25, p < .001), other-blame (F(1, 156) = 13.16, p < .001) and more intentional (F(1, 156) = 9.24, p = .003), stable (F(1, 156) = 25.22, p < .001) and global (F(1, 156) = 19.55, p < .001) attributions but no differences in reported behavioural responses. The results also supported that EMSs moderate the relationship between interpersonal rejection and perceptions of rejection (F(2, 1252) = 18.43, p < .001), emotional distress (F(2, 1252) = 12.64, p < .001) and self-blame (F(2, 1252) = 14.00, p < .001). Conclusion Together these findings suggest that people with EMSs experience increased distress and select negative cognitions in situations where there are higher levels of rejection but that distress and negative cognitions are generally higher in people with EMSs irrespective of the situation

Policy Experimentation and Innovation as a Response to Complexity in China’s Management of Health Reforms

There are increasing criticisms of dominant models for scaling up health systems in developing countries and a recognition that approaches are needed that better take into account the complexity of health interventions. Since Reform and Opening in the late 1970s, Chinese government has managed complex, rapid and intersecting reforms across many policy areas. As with reforms in other policy areas, reform of the health system has been through a process of trial and error. There is increasing understanding of the importance of policy experimentation and innovation in many of China’s reforms; this article argues that these processes have been important in rebuilding China’s health system. While China’s current system still has many problems, progress is being made in developing a functioning system able to ensure broad population access. The article analyses Chinese thinking on policy experimentation and innovation and their use in management of complex reforms. It argues that China’s management of reform allows space for policy tailoring and innovation by sub-national governments under a broad agreement over the ends of reform, and that shared understandings of policy innovation, alongside informational infrastructures for the systemic propagation and codification of useful practices, provide a framework for managing change in complex environments and under conditions of uncertainty in which ‘what works’ is not knowable in advance. The article situates China’s use of experimentation and innovation in management of health system reform in relation to recent literature which applies complex systems thinking to global health, and concludes that there are lessons to be learnt from China’s approaches to managing complexity in development of health systems for the benefit of the poor

Trait mindfulness mediates the relationship between early maladaptive schema and interpersonal problems

Objective:This study investigated whether early maladaptive schemas (EMSs) are associated with interpersonal problems and whether this relationship is mediated by trait mindfulness.Method:One hundred and seventeen participants (M = 34.66, SD = 17.14) were recruited and completed measures of EMSs (Young Schema Questionnaire, Short Form, Version 3; YSQ-SF-3), trait mindfulness (Kentucky Inventory of Mindfulness Skills; KIMS) and interpersonal problems (Inventory of Interpersonal Problems-32; IIP-32).Results:The number of EMSs endorsed by an individual at a clinically significant level was negatively associated with trait mindfulness and positively associated with interpersonal problems. Trait mindfulness was negatively associated with interpersonal problems. Only the describing and accepting without judgement facets of trait mindfulness were found to mediate the relationship between EMS endorsement and interpersonal problems.Conclusions:The relationship between EMSs and interpersonal problems may partially operate through some facets of trait mindfulness. Implications for future research and clinical practice are discussed

The relationship between early maladaptive schemas and cognitive, emotional and behavioural responses in interpersonal relationships

Interpersonal problems are broadly defined as chronic interpersonal performance issues which can comprise of interpersonal distress, unhelpful cognitive appraisals and behavioural responses to interpersonal situations and negative interpersonal outcomes (e.g. divorce). These are distinguished from interpersonal skills deficits which presume a person simply lacks the ability to act appropriately in interpersonal situations (Leising et al., 2011). Interpersonal problems can have adverse impacts on psychological wellbeing and are some of the most common reasons people present for psychological treatment (Mckay et al., 2012). This thesis investigated Young et al's (2003) early maladaptive schemas (EMS) from the schema therapy model and their relationship with interpersonal problems. In particular, this thesis attempted to clarify the existing evidence available for the relationship between EMS and interpersonal problems and develop a greater understanding for how EMS might be associated with interpersonal problems. Study one aimed to assess the magnitude of the association and potential moderators on the relationship between EMS and interpersonal problems. A total of 49 empirical studies were systematically reviewed and a meta-analysis was performed on reported correlations between EMSs and interpersonal problems using the PRISMA guidelines for systematic reviews. Study one found EMS to have a moderate positive association with interpersonal problems with EMS in the rejection and disconnection domain having the highest correlations with interpersonal problems. The strength of the association between EMS and interpersonal problems was found to be weaker in intimate relationships, when assessed by significant others and when assessing more specific types of interpersonal behaviour (e.g. aggression versus general problematic trait interpersonal tendencies). Limited experimental or longitudinal studies were found supporting a causal relationship between EMS on interpersonal problems. Study two designed a novel experimental paradigm for assessing the relationship between EMS and interpersonal problems. Study two consisted of 168 university students where degree of rejection was manipulated in a series of interpersonal vignettes. Study two aimed to assess if EMS moderated the casual relationship between different interpersonal contexts and the emotional, cognitive and behavioural responses to those contexts. Rejection was found to predict emotional, cognitive and behavioural responses and people reporting higher EMS reported higher levels of emotional distress and negative cognitions but no differences in behavioural responses. People reporting higher EMS also reported increased emotional distress and select negative cognitions as the degree of rejection in the interpersonal situation increased. Study three aimed to assess whether EMS are associated with trait tendencies to selectively attend to our environment and whether this was associated with increased interpersonal problems. This aim was achieved by assessing whether trait-mindfulness mediated the relationship between EMS and interpersonal problems. Utilising a sample of 117 university students, study three found both EMS and interpersonal problems to be negatively associated with trait-mindfulness. Decreases in select facets of trait-mindfulness were found to mediate the relationship between EMS and interpersonal problems including reduced tendencies to objectively describe and accept events in our environment without passing judgement. Together the findings of this thesis present consistent support for an association between EMS and interpersonal problems but find that the strength of this association might vary based on types of interpersonal relationships, measures of interpersonal problems and reporters used to assess interpersonal problems. This thesis provides one of the first experimental methods for assessing the relationship between EMS and interpersonal problems by manipulating the interpersonal situation (e.g. degrees of rejection) and assessing the changes in interpersonal responses to that situation. This thesis also argues that EMS might be associated with interpersonal problems by restricting attention, increasing emotional distress and negative cognitive reactions to interpersonal situations. This thesis found that EMS might be less likely to predict interpersonal behaviour and that interpersonal behaviour is more likely to vary based on the interpersonal situation

A Longitudinal Study of Cryptographic API: a Decade of Android Malware

Cryptography has been extensively used in Android applications to guarantee secure communications, conceal critical data from reverse engineering, or ensure mobile users' privacy. Various system-based and third-party libraries for Android provide cryptographic functionalities, and previous works mainly explored the misuse of cryptographic API in benign applications. However, the role of cryptographic API has not yet been explored in Android malware. This paper performs a comprehensive, longitudinal analysis of cryptographic API in Android malware. In particular, we analyzed $603\,937$ Android applications (half of them malicious, half benign) released between $2012$ and $2020$, gathering more than 1 million cryptographic API expressions. Our results reveal intriguing trends and insights on how and why cryptography is employed in Android malware. For instance, we point out the widespread use of weak hash functions and the late transition from insecure DES to AES. Additionally, we show that cryptography-related characteristics can help to improve the performance of learning-based systems in detecting malicious applications.Comment: Fix processing time dat

Biased RSA private keys: Origin attribution of GCD-factorable keys

In 2016, Svenda et al. (USENIX 2016, The Million-key Question) reported that the implementation choices in cryptographic libraries allow for qualified guessing about the origin of public RSA keys. We extend the technique to two new scenarios when not only public but also private keys are available for the origin attribution - analysis of a source of GCD-factorable keys in IPv4-wide TLS scans and forensic investigation of an unknown source. We learn several representatives of the bias from the private keys to train a model on more than 150 million keys collected from 70 cryptographic libraries, hardware security modules and cryptographic smartcards. Our model not only doubles the number of distinguishable groups of libraries (compared to public keys from Svenda et al.) but also improves more than twice in accuracy w.r.t. random guessing when a single key is classified. For a forensic scenario where at least 10 keys from the same source are available, the correct origin library is correctly identified with average accuracy of 89% compared to 4% accuracy of a random guess. The technique was also used to identify libraries producing GCD-factorable TLS keys, showing that only three groups are the probable suspects