Do ECB's Statements Steer Short-Term and Long-Term Interest Rates in the Euro Zone ?

In this paper, we aim at testing whether press conferences held after the meeting of the ECB's monetary policy council steer market short- and long-term interest rates in the euro zone. To meet this goal, we "codify" the statements according to whether they are neutral, hawkish, or dovish. We show, using a principal components analysis of euro-zone (short- and long-term) interest rates that the euro-zone's market rates, react significantly to the bias in statements, and more particularly to changes in statements from one meeting to the next. If we study separately the reaction of short- and long-term interest rates to change in statements, the short end of the yield curve reacts more sharply to statements than the long segment. We show that the effect of statements peaks on interest rates with a maturity of six or twelve months and is smaller for the longer maturities. Using non-parametric tests confirms our previous results.Communication ; Transparency ; Monetary Policy ; European Central Bank.

La transparence sur les préférences des banques centrales est-elle souhaitable ?

Dans ce papier, nous cherchons à évaluer si il est possible pour une banque centrale de dévoiler ses préférences, et plus précisément le poids qu'elle accorde à la stabilisation de l'inflation et de l'output gap dans sa fonction objectif. Nous considérons que la banque centrale peut dévoiler de l'information sur ses préférences de deux manières : tout d'abord, explicitement, via sa politique de communication, mais aussi, implicitement, via ses décisions de politique monétaire. Nous étudions alors, dans un jeu dynamique, le cas de la transparence sur les prévisions de la banque centrale comme substitut de la transparence sur les préférences lorsque le secteur privé est capable de réviser son estimation initiale des préférences de la banque centrale (apprentissage du secteur privé).Transparence ; préférences de la banque centrale

Securing Cross-App Interactions in IoT Platforms

IoT platforms enable users connect various smart devices and online services via reactive apps running on the cloud. These apps, often developed by third-parties, perform simple computations on data triggered by external information sources and actuate the results of computation on external information sinks. Recent research shows that unintended or malicious interactions between the different (even benign) apps of a user can cause severe security and safety risks. These works leverage program analysis techniques to build tools for unveiling unexpected interference across apps for specific use cases. Despite these initial efforts, we are still lacking a semantic framework for understanding interactions between IoT apps. The question of what security policy cross-app interference embodies remains largely unexplored. This paper proposes a semantic framework capturing the essence of cross-app interactions in IoT platforms. The frame- work generalizes and connects syntactic enforcement mechanisms to bisimulation-based notions of security, thus providing a baseline for formulating soundness criteria of these enforcement mechanisms. Specifically, we present a calculus that models the behavioral semantics of a system of apps executing concurrently, and use it to define desirable semantic policies in the context security and safety of IoT apps. To demonstrate the usefulness of our framework, we define static mechanisms for enforcing cross- app security and safety, and prove them sound with respect to our semantic conditions. Finally, we leverage real-world apps to validate the practical benefits of our policy framework

Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

Prototype pollution is a dangerous vulnerability affecting prototype-based languages like JavaScript and the Node.js platform. It refers to the ability of an attacker to inject properties into an object's root prototype at runtime and subsequently trigger the execution of legitimate code gadgets that access these properties on the object's prototype, leading to attacks such as DoS, privilege escalation, and remote code execution (RCE). While there is anecdotal evidence that prototype pollution leads to RCE, current research does not tackle the challenge of gadget detection, thus only showing feasibility of DoS attacks against Node.js libraries. In this paper, we set out to study the problem in a holistic way, from the detection of prototype pollution to detection of gadgets, with the ambitious goal of finding end-to-end exploits beyond DoS, in full-fledged Node.js applications. We build the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets, notably, by analyzing the Node.js source code. We implement our framework on top of GitHub's static analysis framework CodeQL to find 11 universal gadgets in core Node.js APIs, leading to code execution. Furthermore, we use our methodology in a study of 15 popular Node.js applications to identify prototype pollutions and gadgets. We manually exploit RCE in two high-profile applications. Our results provide alarming evidence that prototype pollution in combination with powerful universal gadgets lead to RCE in Node.js.Comment: To appear at USENIX Security'2

SandTrap: Securing JavaScript-driven Trigger-Action Platforms

Trigger-Action Platforms (TAPs) seamlessly connect a wide variety of otherwise unconnected devices and services, ranging from IoT devices to cloud services and social networks. TAPs raise critical security and privacy concerns because a TAP is effectively a “person-in-the-middle” between trigger and action services. Third-party code, routinely deployed as “apps” on TAPs, further exacerbates these concerns. This paper focuses on JavaScript-driven TAPs. We show that the popular IFTTT and Zapier platforms and an open-source alternative Node-RED are susceptible to attacks ranging from exfiltrating data from unsuspecting users to taking over the entire platform. We report on the changes by the platforms in response to our findings and present an empirical study to assess the implications for Node-RED. Motivated by the need for a secure yet flexible way to integrate third-party JavaScript apps, we propose SandTrap, a novel JavaScript monitor that securely combines the Node.js vm module with fully structural proxy-based two-sided membranes to enforce fine-grained access control policies. To aid developers, SandTrap includes a policy generation mechanism. We instantiate SandTrap to IFTTT, Zapier, and Node-RED and illustrate on a set of benchmarks how SandTrap enforces a variety of policies while incurring a tolerable runtime overhead

Analyser sa leçon : discours d’étudiants stagiaires de Licence 3 en EPS

Cette recherche didactique a pour but de décrire et comprendre comment quatre étudiants stagiaires analysent des séquences d’enseignement-apprentissage en Éducation physique et sportive (EPS). Le traitement des données d’entretiens d’autoconfrontation met en évidence, au-delà des régularités, des spécificités propres à chaque stagiaire. L’analyse de discours montre que ceux-ci mobilisent d’une certaine manière les actes de langage et adoptent différentes postures réflexives. Les résultats questionnent les effets de ces modes de réflexivité sur le développement professionnel.The aim of this didactic research is to describe and understand how four student trainees analyse teaching-learning sequences in physical education. By processing auto-confrontation interview data, we are able to highlight, beyond the regularities, individual particularities of each student. The discourse analysis shows that, to a certain extent, they draw upon linguistic action and adopt various reflexive approaches. The results question the effects of these reflexivity modes on professional development

Securing Node-RED Applications

Trigger-Action Platforms (TAPs) play a vital role in fulfilling the promise of the Internet of Things (IoT) by seamlessly connecting otherwise unconnected devices and services. While enabling novel and exciting applications across a variety of services, security and privacy issues must be taken into consideration because TAPs essentially act as persons-in-the-middle between trigger and action services. The issue is further aggravated since the triggers and actions on TAPs are mostly provided by third parties extending the trust beyond the platform providers. Node-RED, an open-source JavaScript-driven TAP, provides the opportunity for users to effortlessly employ and link nodes via a graphical user interface. Being built upon Node.js, third-party developers can extend the platform’s functionality through publishing nodes and their wirings, known as flows. This paper proposes an essential model for Node-RED, suitable to reason about nodes and flows, be they benign, vulnerable, or malicious. We expand on attacks discovered in recent work, ranging from exfiltrating data from unsuspecting users to taking over the entire platform by misusing sensitive APIs within nodes. We present a formalization of a runtime monitoring framework for a core language that soundly and transparently enforces fine-grained allowlist policies at module-, API-, value-, and context-level. We introduce the monitoring framework for Node-RED that isolates nodes while permitting them to communicate via well-defined API calls complying with the policy specified for each node