No Place to Hide that Bytes won't Reveal: Sniffing Location-Based Encrypted Traffic to Track a User's Position

News reports of the last few years indicated that several intelligence agencies are able to monitor large networks or entire portions of the Internet backbone. Such a powerful adversary has only recently been considered by the academic literature. In this paper, we propose a new adversary model for Location Based Services (LBSs). The model takes into account an unauthorized third party, different from the LBS provider itself, that wants to infer the location and monitor the movements of a LBS user. We show that such an adversary can extrapolate the position of a target user by just analyzing the size and the timing of the encrypted traffic exchanged between that user and the LBS provider. We performed a thorough analysis of a widely deployed location based app that comes pre-installed with many Android devices: GoogleNow. The results are encouraging and highlight the importance of devising more effective countermeasures against powerful adversaries to preserve the privacy of LBS users.Comment: 14 pages, 9th International Conference on Network and System Security (NSS 2015

A formal framework to elicit roles with business meaning in RBAC systems

The role-based access control (RBAC) model has proven to be cost effective to reduce the complexity and costs of ac-cess permission management. To maximize the advantages offered by RBAC, the role engineering discipline has been introduced. A viable approach is to explore current applica-tions and systems to find de facto roles embedded in existing user permissions, leading to what is usually referred to as role mining. However, a key problem that has not yet been adequately addressed by existing role mining approaches is how to propose roles that have business meaning. In order to do this, we provide a new formal framework that also enjoys practical relevance. In particular, the proposed framework leverages business information—such as business processes and organization structure—to implement role mining algo-rithms. Our key observation is that a role is likely to be meaningful from a business perspective when it involves ac-tivities within the same business process or organizational units within the same branch. To measure the “spreading” of a role among business processes or organization structure, we resort to centrality indices. Such indices are used in our cost-driven approach during the role mining process. Fi-nally, we illustrate the application of the framework through a few examples

Can't you hear me knocking: Identification of user actions on Android apps via traffic analysis

none4noneMauro Conti; Luigi V. Mancini; Riccardo Spolaor; Nino Vincenzo VerdeConti, Mauro; Luigi V., Mancini; Spolaor, Riccardo; Nino Vincenzo, Verd

Evaluating the Risk of Adopting RBAC Roles

International audienceWe propose a framework to evaluate the risk incurred when managing users and permissions through RBAC. The risk analysis framework does not require roles to be defined, thus making it applicable before the role engineering phase. In particular, the proposed approach highlights users and permissions that markedly deviate from others, and that might consequently be prone to error when roles are operating. By focusing on such users and permissions during the role definition process, it is possible to mitigate the risk of unauthorized accesses and role misuse