Secure distributed key generation in attribute based encryption systems

Nowadays usage of cloud computing is increasing in popularity and this raises new data protection challenges. In such distributed systems it is unrealistic to assume that the servers are fully trusted in enforcing the access policies. Attribute Based Encryption (ABE) is one of the solutions proposed to tackle these trust problems. In ABE the data is encrypted using the access policy and authorized users can decrypt the data only using a secret key that is associated with their attributes. The secret key is generated by a Key Generation Authority (KGA), which in small systems can be constantly audited, therefore fully trusted. In contrast, in large and distrusted systems, trusting the KGAs is questionable. This paper presents a solution which increases the trust in ABE KGAs. The solution uses several KGAs which issue secret keys only for a limited number of users. One KGA issues a secret key associated with user's attributes and the other authorities issue independently secret keys associated with generalized values of user's attributes. Decryption is possible only if the secret keys associated with the non-generalized and generalized attributes are consistent. This mitigates the risk of unauthorized data disclosure when a couple of authorities are compromised

Security and emotion : sentiment analysis of security discussions on GitHub

Application security is becoming increasingly prevalent during software and especially web application development. Consequently, countermeasures are continuously being discussed and built into applications, with the goal of reducing the risk that unauthorized code will be able to access, steal, modify, or delete sensitive data. In this paper we gauged the presence and atmosphere surrounding security-related discussions on GitHub, as mined from discussions around commits and pull requests. First, we found that security related discussions account for approximately 10% of all discussions on GitHub. Second, we found that more negative emotions are expressed in security-related discussions than in other discussions. These findings confirm the importance of properly training developers to address security concerns in their applications as well as the need to test applications thoroughly for security vulnerabilities in order to reduce frustration and improve overall project atmosphere

PUMiner: Mining security posts from developer question and answer websites with PU learning

Co-located with ICSE '20: 42nd International Conference on Software Engineering.Security is an increasing concern in software development. Developer Question and Answer (Q&A) websites provide a large amount of security discussion. Existing studies have used human-defined rules to mine security discussions, but these works still miss many posts, which may lead to an incomplete analysis of the security practices reported on Q&A websites. Traditional supervised Machine Learning methods can automate the mining process; however, the required negative (non-security) class is too expensive to obtain. We propose a novel learning framework, PUMiner, to automatically mine security posts from Q&A websites. PUMiner builds a context-aware embedding model to extract features of the posts, and then develops a two-stage PU model to identify security content using the labelled Positive and Un-labelled posts. We evaluate PUMiner on more than 17.2 million posts on Stack Overflow and 52,611 posts on Security StackExchange. We show that PUMiner is effective with the validation performance of at least 0.85 across all model configurations. Moreover, Matthews Correlation Coefficient (MCC) of PUMiner is 0.906, 0.534 and 0.084 points higher than one-class SVM, positive-similarity filtering, and one-stage PU models on unseen testing posts, respectively. PUMiner also performs well with an MCC of 0.745 for scenarios where string matching totally fails. Even when the ratio of the labelled positive posts to the un-labelled ones is only 1:100, PUMiner still achieves a strong MCC of 0.65, which is 160% better than fully-supervised learning. Using PUMiner, we provide the largest and up-to-date security content on Q&A websites for practitioners and researchers.Triet Huynh Minh Le, David Hin, Roland Croft, and M. Ali Baba

HBM4EU chromates study - Overall results and recommendations for the biomonitoring of occupational exposure to hexavalent chromium

Exposure to hexavalent chromium [Cr(VI)] may occur in several occupational activities, e.g., welding, Cr(VI) electroplating and other surface treatment processes. The aim of this study was to provide EU relevant data on occupational Cr(VI) exposure to support the regulatory risk assessment and decision-making. In addition, the capability and validity of different biomarkers for the assessment of Cr(VI) exposure were evaluated. The study involved nine European countries and involved 399 workers in different industry sectors with exposures to Cr(VI) such as welding, bath plating, applying or removing paint and other tasks. We also studied 203 controls to establish a background in workers with no direct exposure to Cr(VI). We applied a cross-sectional study design and used chromium in urine as the primary biomonitoring method for Cr(VI) exposure. Additionally, we studied the use of red blood cells (RBC) and exhaled breath condensate (EBC) for biomonitoring of exposure to Cr(VI). Personal measurements were used to study exposure to inhalable and respirable Cr(VI) by personal air sampling. Dermal exposure was studied by taking hand wipe samples. The highest internal exposures were observed in the use of Cr(VI) in electrolytic bath plating. In stainless steel welding the internal Cr exposure was clearly lower when compared to plating activities. We observed a high correlation between chromium urinary levels and air Cr(VI) or dermal total Cr exposure. Urinary chromium showed its value as a first approach for the assessment of total, internal exposure. Correlations between urinary chromium and Cr(VI) in EBC and Cr in RBC were low, probably due to differences in kinetics and indicating that these biomonitoring approaches may not be interchangeable but rather complementary. This study showed that occupational biomonitoring studies can be conducted successfully by multi-national collaboration and provide relevant information to support policy actions aiming to reduce occupational exposure to chemicals

Liraglutide and Renal Outcomes in Type 2 Diabetes.

BACKGROUND: In a randomized, controlled trial that compared liraglutide, a glucagon-like peptide 1 analogue, with placebo in patients with type 2 diabetes and high cardiovascular risk who were receiving usual care, we found that liraglutide resulted in lower risks of the primary end point (nonfatal myocardial infarction, nonfatal stroke, or death from cardiovascular causes) and death. However, the long-term effects of liraglutide on renal outcomes in patients with type 2 diabetes are unknown. METHODS: We report the prespecified secondary renal outcomes of that randomized, controlled trial in which patients were assigned to receive liraglutide or placebo. The secondary renal outcome was a composite of new-onset persistent macroalbuminuria, persistent doubling of the serum creatinine level, end-stage renal disease, or death due to renal disease. The risk of renal outcomes was determined with the use of time-to-event analyses with an intention-to-treat approach. Changes in the estimated glomerular filtration rate and albuminuria were also analyzed. RESULTS: A total of 9340 patients underwent randomization, and the median follow-up of the patients was 3.84 years. The renal outcome occurred in fewer participants in the liraglutide group than in the placebo group (268 of 4668 patients vs. 337 of 4672; hazard ratio, 0.78; 95% confidence interval [CI], 0.67 to 0.92; P=0.003). This result was driven primarily by the new onset of persistent macroalbuminuria, which occurred in fewer participants in the liraglutide group than in the placebo group (161 vs. 215 patients; hazard ratio, 0.74; 95% CI, 0.60 to 0.91; P=0.004). The rates of renal adverse events were similar in the liraglutide group and the placebo group (15.1 events and 16.5 events per 1000 patient-years), including the rate of acute kidney injury (7.1 and 6.2 events per 1000 patient-years, respectively). CONCLUSIONS: This prespecified secondary analysis shows that, when added to usual care, liraglutide resulted in lower rates of the development and progression of diabetic kidney disease than placebo. (Funded by Novo Nordisk and the National Institutes of Health; LEADER ClinicalTrials.gov number, NCT01179048 .)