32 research outputs found
reclaimID: Secure, Self-Sovereign Identities using Name Systems and Attribute-Based Encryption
In this paper we present reclaimID: An architecture that allows users to
reclaim their digital identities by securely sharing identity attributes
without the need for a centralised service provider. We propose a design where
user attributes are stored in and shared over a name system under user-owned
namespaces. Attributes are encrypted using attribute-based encryption (ABE),
allowing the user to selectively authorize and revoke access of requesting
parties to subsets of his attributes. We present an implementation based on the
decentralised GNU Name System (GNS) in combination with ciphertext-policy ABE
using type-1 pairings. To show the practicality of our implementation, we
carried out experimental evaluations of selected implementation aspects
including attribute resolution performance. Finally, we show that our design
can be used as a standard OpenID Connect Identity Provider allowing our
implementation to be integrated into standard-compliant services.Comment: 12 page
ZKlaims: Privacy-preserving Attribute-based Credentials using Non-interactive Zero-knowledge Techniques
In this paper we present ZKlaims: a system that allows users to present
attribute-based credentials in a privacy-preserving way. We achieve a
zero-knowledge property on the basis of Succinct Non-interactive Arguments of
Knowledge (SNARKs). ZKlaims allow users to prove statements on credentials
issued by trusted third parties. The credential contents are never revealed to
the verifier as part of the proving process. Further, ZKlaims can be presented
non-interactively, mitigating the need for interactive proofs between the user
and the verifier. This allows ZKlaims to be exchanged via fully decentralized
services and storages such as traditional peer-to-peer networks based on
distributed hash tables (DHTs) or even blockchains. To show this, we include a
performance evaluation of ZKlaims and show how it can be integrated in
decentralized identity provider services.Comment: 8 pages, published at SECRYPT 201
Towards Tracking Data Flows in Cloud Architectures
As cloud services become central in an increasing number of applications,
they process and store more personal and business-critical data. At the same
time, privacy and compliance regulations such as GDPR, the EU ePrivacy
regulation, PCI, and the upcoming EU Cybersecurity Act raise the bar for secure
processing and traceability of critical data. Especially the demand to provide
information about existing data records of an individual and the ability to
delete them on demand is central in privacy regulations. Common to these
requirements is that cloud providers must be able to track data as it flows
across the different services to ensure that it never moves outside of the
legitimate realm, and it is known at all times where a specific copy of a
record that belongs to a specific individual or business process is located.
However, current cloud architectures do neither provide the means to
holistically track data flows across different services nor to enforce policies
on data flows. In this paper, we point out the deficits in the data flow
tracking functionalities of major cloud providers by means of a set of
practical experiments. We then generalize from these experiments introducing a
generic architecture that aims at solving the problem of cloud-wide data flow
tracking and show how it can be built in a Kubernetes-based prototype
implementation.Comment: 11 pages, 5 figures, 2020 IEEE 13th International Conference on Cloud
Computing (CLOUD
Efficiently Manifesting Asynchronous Programming Errors in Android Apps
Android, the #1 mobile app framework, enforces the single-GUI-thread model,
in which a single UI thread manages GUI rendering and event dispatching. Due to
this model, it is vital to avoid blocking the UI thread for responsiveness. One
common practice is to offload long-running tasks into async threads. To achieve
this, Android provides various async programming constructs, and leaves
developers themselves to obey the rules implied by the model. However, as our
study reveals, more than 25% apps violate these rules and introduce
hard-to-detect, fail-stop errors, which we term as aysnc programming errors
(APEs). To this end, this paper introduces APEChecker, a technique to
automatically and efficiently manifest APEs. The key idea is to characterize
APEs as specific fault patterns, and synergistically combine static analysis
and dynamic UI exploration to detect and verify such errors. Among the 40
real-world Android apps, APEChecker unveils and processes 61 APEs, of which 51
are confirmed (83.6% hit rate). Specifically, APEChecker detects 3X more APEs
than the state-of-art testing tools (Monkey, Sapienz and Stoat), and reduces
testing time from half an hour to a few minutes. On a specific type of APEs,
APEChecker confirms 5X more errors than the data race detection tool,
EventRacer, with very few false alarms
Mechanistic insight into RET kinase inhibitors targeting the DFG-out conformation in RET-rearranged cancer
Oncogenic fusion events have been identified in a broad range of tumors. Among them, RET rearrangements represent distinct and potentially druggable targets that are recurrently found in lung adenocarcinomas. Here, we provide further evidence that current anti-RET drugs may not be potent enough to induce durable responses in such tumors. We report that potent inhibitors such as AD80 or ponatinib that stably bind in the DFG-out conformation of RET may overcome these limitations and selectively kill RET-rearranged tumors. Using chemical genomics in conjunction with phosphoproteomic analyses in RET-rearranged cells we identify the CCDC6-RETI788N mutation and drug-induced MAPK pathway reactivation as possible mechanisms, by which tumors may escape the activity of RET inhibitors. Our data provide mechanistic insight into the druggability of RET kinase fusions that may be of help for the development of effective therapies targeting such tumors