A Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing

To ensure the privacy of users in transport systems, researchers are working on new protocols providing the best security guarantees while respecting functional requirements of transport operators. In this paper, we design a secure NFC m-ticketing protocol for public transport that preserves users' anonymity and prevents transport operators from tracing their customers' trips. To this end, we introduce a new practical set-membership proof that does not require provers nor verifiers (but in a specific scenario for verifiers) to perform pairing computations. It is therefore particularly suitable for our (ticketing) setting where provers hold SIM/UICC cards that do not support such costly computations. We also propose several optimizations of Boneh-Boyen type signature schemes, which are of independent interest, increasing their performance and efficiency during NFC transactions. Our m-ticketing protocol offers greater flexibility compared to previous solutions as it enables the post-payment and the off-line validation of m-tickets. By implementing a prototype using a standard NFC SIM card, we show that it fulfils the stringent functional requirement imposed by transport operators whilst using strong security parameters. In particular, a validation can be completed in 184.25 ms when the mobile is switched on, and in 266.52 ms when the mobile is switched off or its battery is flat

Obfuscated Android Application Development

International audienceObfuscation techniques help developers to hide their code when distributing an Android application. The used techniques are linked to the features provided by the programming language but also with the way the application is executed. Using obfuscation is now a common practice and specialized companies sell tools or services for automatizing the manipulation of the source code. In this paper, we present how to develop obfuscated applications and how obfuscation technique usage is evolving in the wild. First, using advanced obfuscation techniques requires some advanced knowledge about the development of Android applications. We describe how to build such applications for helping researchers to generate samples of obfuscated applications for their own research. Second, the use of obfuscation techniques is evolving for both regular applications or malicious ones. We aim at measuring the development of these usages by studying application and malware samples and the artifacts that indicate the use of obfuscation techniques

A Privacy-Preserving Contactless Transport Service for NFC Smartphones

International audienceThe development of NFC-enabled smartphones has paved the way to new applications such as mobile payment (m-payment) and mobile ticketing (m-ticketing). However, often the privacy of users of such services is either not taken into account or based on simple pseudonyms, which does not offer strong privacy properties such as the unlinkability of transactions and minimal information leakage. In this paper, we introduce a lightweight privacy-preserving contactless transport service that uses the SIM card as a secure element. Our implementation of this service uses a group signature protocol in which costly cryptographic operations are delegated to the mobile phone

Mascopt - A Network Optimization Library: Graph Manipulation

This report introduces a JAVA library whose objective is to provide tools for solving some network optimization problems and that may be used to write prototype software. We describe here the first step of the development which concerns algorithmic graph problems. This open source library named MASCOPT includes an implementation of a generic model of graph. This library has been designed with an object-oriented model and aims to be user friendly rather than focusing on speed of execution. We show how the model can be extended and dedicated to a user application by using simple object mechanism. We also present a basic description of the MASCOPT functionalities so that developers, who are familiar with objects, can use effectively for their own experimentations

A kriging-based analysis of cloud liquid water content using CloudSat data

Spatiotemporal statistical learning has received increased attention in the past decade, due to spatially and temporally indexed data proliferation, especially data collected from satellite remote sensing. In the meantime, observational studies of clouds are recognized as an important step toward improving cloud representation in weather and climate models. Since 2006, the satellite CloudSat of NASA is carrying a 94 GHz cloud-profiling radar and is able to retrieve, from radar reflectivity, microphysical parameter distribution such as water or ice content. The collected data are piled up with the successive satellite orbits of nearly 2 h, leading to a large compressed database of 2 Tb (http://cloudsat.atmos.colostate.edu/, last access: 8 June 2022). These observations offer the opportunity to extend the cloud microphysical properties beyond the actual measurement locations using an interpolation and prediction algorithm. To do so, we introduce a statistical estimator based on the spatiotemporal covariance and mean of the observations known as kriging. An adequate parametric model for the covariance and the mean is chosen from an exploratory data analysis. Beforehand, it is necessary to estimate the parameters of this spatiotemporal model; this is performed in a Bayesian setting. The approach is then applied to a subset of the CloudSat dataset

KRAKEN: A Knowledge-Based Recommender system for Analysts, to Kick Exploration up a Notch

International audienceDuring a computer security investigation, a security analyst has to explore the logs available to understand what happened in the compromised system. For such tasks, visual analysis tools have been developed to help with log exploration. They provide visualisations of aggregated logs, and help navigate data efficiently. However, even using visualisation tools, the task can still be difficult and tiresome. The amount and the numerous dimensions of the logs to analyse, the potential stealthiness and complexity of the attack may end with the analyst missing some parts of an attack. We offer to help the analyst finding the logs where her expertise is needed rapidly and efficiently. We design a recommender system called KRAKEN that links knowledge coming from advanced attack descriptions into a visual analysis tool to suggest exploration paths. KRAKEN confronts real world adversary knowledge with the investigated logs to dynamically provide relevant parts of the dataset to explore. To evaluate KRAKEN we conducted a user study with seven security analysts. Using our system, they investigated a dataset from the DARPA containing different Advanced Persistent Threat attacks. The results and comments of the security analysts show the usability and usefulness of the recommender system

Étude du comportement de l'aorte dans le cadre de pathologie de type anévrisme

Actuellement, lorsqu’un patient présente une dilatation de l’aorte impliquant la possibilité d’une intervention chirurgicale (en raison du risque de rupture), la décision thérapeutique est prise en fonction du rapport des diamètres de l’artère au niveau de l’anévrisme et à proximité de celui-ci. La décision de traiter ou non est prise en fonction de la mesure de ces diamètres. En général on opère le patient si le diamètre est supérieur à 50 mm. Malheureusement des ruptures peuvent survenir pour des diamètres inférieurs à 50 mm, sans que l’on ait pu déterminer le risque d’anévrisme. Le diagnostic ne peut donc pas se contenter d’une mesure dimensionnelle simple. En effet, la compliance de l’artère, c’est-à-dire son aptitude à se déformer tout en résistant, reste un facteur important pour prendre la décision d’une intervention chirurgicale L’étude présentée a pour objectif de quantifier les déformations sur des fantômes (répliques) en silicone ayant des géométries similaires à celle des patients présentant une pathologie de type anévrisme. Un système de mesure, basé sur la stéréo-vision, permet d’effectuer les mesures en 3D du fantôme soumis à des pressions dynamiques basée sur un cycle cardiaque. Le mouchetis de contraste a été intégré directement dans le silicone, ce qui permet une bonne tenue de celui-ci. Une modélisation par éléments finis basée sur un comportement hyperélastique permet de déterminer les états de contraintes correspondants tout au long du cycle cardiaque. Afin d’obtenir un système pertinent et exploitable par les spécialistes de cardiologie, le dispositif expérimental a été installé dans un IRM. Les images obtenues des fantômes en 4D (3D spatial+ temps) ont été confrontées à celles obtenues par le dispositif de stéréovision pour définir une capabilité de l’IRM à mesurer la compliance locale d’une Aorte. Les résultats sont présentés pour diverses géométries de fantômes

Un algorithme d'allocation de bande passante satellitaire

Ce rapport présente un algorithme d'allocation de ressources pour les réseaux satellitaires. Il s'agit de prévoir un plan d'allocation en temps/fréquence pour un ensemble de terminaux ayant une configuration géométrique définie et soumis à des contraintes d'interférence. On cherche à minimiser la taille du plan de fréquences tout en garantissant que toutes les demandes des terminaux, en termes de bande passante et pour différents types, sont satisfaites. L'algorithme proposé repose sur deux techniques principales: la génération de configurations admissibles pour les contraintes d'interférence par des heuristiques, la programmation mixte linéaire/entière utilisant la génération de colonnes. La solution obtenue permet de prévoir un plan d'allocation admissible avec des garanties d'optimalité et permet aussi de mettre en évidence les configurations d'interférences qui entravent la génération de bonnes solutions

Preventing Serialization Vulnerabilities through Transient Field Detection

International audienceVerifying Android applications' source code is essential to ensure users' security. Due to its complex architecture, Android has specific attack surfaces which the community has to investigate in order to discover new vulnerabilities and prevent as much as possible malicious exploitations. Communication mechanisms are one of the Android components that should be carefully checked and analyzed to avoid data leakage or code injections. Android software components can communicate together using serialization processes. Developers need thereby to indicate manually the transient keyword whenever an object field should not be part of the serialization. In particular, field values encoding memory addresses can leave severe vulnerabilities inside applications if they are not explicitly declared transient. In this study, we propose a novel methodology for automatically detecting, at compilation time, all missing transient keywords directly from Android applications' source code. Our method is based on taint analysis and its implementation provides developers with a useful tool which they might use to improve their code bases. Furthermore, we evaluate our method on a cryptography library as well as on the Telegram application for real world validation. Our approach is able to retrieve previously found vulnerabilities, and, in addition, we find non-exploitable flows hidden within Telegram's code base

DaViz: Visualization for Android Malware Datasets

National audienceWith millions of Android malware samples available, researchers have a large amount of data to perform malware detection and classification, specially with the help of machine learning. Thus far, visualization tools focus on single samples or one-to-many comparison, but not a many-to-many approach. In order to exploit the quantity of data from various datasets to obtain meaningful information, we propose DaViz, a visualization tool for Android malware datasets. With the aid of multiple chart types and interactive sample filtering, users can explore different application datasets and compare them. This new tool allows to get a better understanding of the datasets at hand, and help to continue research by narrowing the samples to those of interest based on selected characteristics