-
Deepfake Detection in Super-Recognizers and Police Officers IEEE Secur. Priv. (IF 1.9) Pub Date : 2024-03-26 Meike Ramon, Matthew Vowels, Matthew Groh
-
Verifiable Sustainability in Data Centers IEEE Secur. Priv. (IF 1.9) Pub Date : 2024-03-18 Syed Rafiul Hussain, Patrick McDaniel, Anshul Gandhi, Kanad Ghose, Kartik Gopalan, Dongyoon Lee, Yu David Liu, Zhenhua Liu, Shuai Mu, Erez Zadok
-
Synthetic Data: Methods, Use Cases, and Risks IEEE Secur. Priv. (IF 1.9) Pub Date : 2024-03-12 Emiliano De Cristofaro
-
Fuzzerfly Effect: Hardware Fuzzing for Memory Safety IEEE Secur. Priv. (IF 1.9) Pub Date : 2024-03-07 Mohamadreza Rostami, Chen Chen, Rahul Kande, Huimin Li, Jeyavijayan Rajendran, Ahmad-Reza Sadeghi
-
Full Spatial and Temporal Memory Safety for C IEEE Secur. Priv. (IF 1.9) Pub Date : 2024-02-19 Santosh Nagarakatte
-
AI Code Generators for Security: Friend or Foe? IEEE Secur. Priv. (IF 1.9) Pub Date : 2024-02-01 Roberto Natella, Pietro Liguori, Cristina Improta, Bojan Cukic, Domenico Cotroneo
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Friction Matters: Balancing the Pursuit of Perfect Protection With Target Hardening IEEE Secur. Priv. (IF 1.9) Pub Date : 2024-01-22 Elissa M. Redmiles
It is my great pleasure to share a guest “Last Word” column by Dr. Elissa Redmiles, Clare Luce Boothe Assistant Professor at Georgetown University, with IEEE Security & Privacy (S&P) readers. Prof. Redmiles has gained particular attention due to her highly lauded work in security and privacy inequities in marginalized and at-risk communities. This column gives a flavor of the real-world practical insights
-
The Holy Grail of Vulnerability Predictions IEEE Secur. Priv. (IF 1.9) Pub Date : 2024-01-22 Fabio Massacci
Scoring vulnerabilities is a hard task, and we build standards for this purpose: the Common Vulnerability Scoring System (CVSS) used by NIST is the oldest of them. It was invented by Peter Mell and Karen Scarfone, among others, to assess severity.1
-
Security and Privacy in the Metaverse IEEE Secur. Priv. (IF 1.9) Pub Date : 2024-01-22 Franziska Roesner, Tadayoshi Kohno
This special issue explores current and future security, privacy, and safety challenges that will arise with the increasingly widespread adoption of sensor-rich augmented, mixed, and virtual reality technologies that mediate users’ perceptions of the physical world.
-
A Viewpoint on the Societal Impact of Everyday Augmented Reality and the Need for Perceptual Human Rights IEEE Secur. Priv. (IF 1.9) Pub Date : 2024-01-22 Joseph O’Hagan, Jan Gugenheimer, Florian Mathis, Jolie Bonner, Richard Jones, Mark McGill
Everyday augmented reality will become as fundamental to our daily lives as smartphones are today. —empowering users, communities, businesses, governments, and more to alter or mediate our perception of reality. But is society prepared for a world where a common objective reality that we all perceive and experience no longer exists?
-
Evaluating Security Through Isolation and Defense in Depth IEEE Secur. Priv. (IF 1.9) Pub Date : 2024-01-22 Eric Bodden, Jens Pottebaum, Markus Fockel, Iris Gräßler
We explain why evaluating a software system’s security is currently complicated by the inclusion of untrusted code and how novel technologies for code isolation may come to the rescue and enable an effective security evaluation.
-
Known Vulnerabilities of Open Source Projects: Where Are the Fixes? IEEE Secur. Priv. (IF 1.9) Pub Date : 2024-01-05 Antonino Sabetta, Serena Elisa Ponta, Rocio Cabrera Lozoya, Michele Bezzi, Tommaso Sacchetti, Matteo Greco, Gergő Balogh, Péter Hegedűs, Rudolf Ferenc, Ranindya Paramitha, Ivan Pashchenko, Aurora Papotti, Ákos Milánkovich, Fabio Massacci
-
Role of Gender in the Evaluation of Security Decisions IEEE Secur. Priv. (IF 1.9) Pub Date : 2024-01-05 Winnie Mbaka, Katja Tuma
-
Understanding Privacy in Virtual Reality Classrooms: A Contextual Integrity Perspective IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-12-11 Karoline Brehm, Yan Shvartzshnaider
We outline privacy concerns and challenges associated with adopting virtual reality technologies in established social contexts using the theory of contextual integrity, examining information flows within and in between the real and virtual environments that could violate existing privacy norms.
-
Shockvertising, Malware, and a Lack of Accountability: Exploring Consumer Risks of Virtual Reality Advertisements and Marketing Experiences IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-12-08 Abraham Mhaidli, Shwetha Rajaram, Selin Fidan, Gina Herakovic, Florian Schaub
Companies increasingly use virtual reality (VR) for advertising. This begs the question, What risks does VR advertising pose for consumers? We analyze VR marketing experiences to identify risks and discuss opportunities to address those and future risks in VR advertising.
-
Augmenting Security and Privacy in the Virtual Realm: An Analysis of Extended Reality Devices IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-12-04 Derin Cayir, Abbas Acar, Riccardo Lazzeretti, Marco Angelini, Mauro Conti, Selcuk Uluagac
We present a device-centric analysis of security and privacy attacks and defenses on extended reality (XR) devices. We present future research directions and propose design considerations to help ensure the security and privacy of XR devices.
-
Securing Bystander Privacy in Mixed Reality While Protecting the User Experience IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-12-04 Matthew Corbett, Brendan David-John, Jiacheng Shang, Y. Charlie Hu, Bo Ji
The modern mixed-reality devices that make the Metaverse viable require vast information about the physical world and can also violate the privacy of unsuspecting or unwilling bystanders. We provide an introduction to the problem, existing solutions, and avenues for future research.
-
Software Supply Chain Security [Guest Editors’ Introduction] IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-11-13 Fabio Massacci, Laurie Williams
Today, the Ancient Mariner would rhyme “Code, code every where, Not any drop to trust.” This special issue of IEEE Security & Privacy highlights software supply chain security research and experiences of value to practitioners and researchers alike.
-
Truth in Motion: The Unprecedented Risks and Opportunities of Extended Reality Motion Data IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-11-16 Vivek Nair, Louis Rosenberg, James F. O’Brien, Dawn Song
Motion-tracking telemetry data lie at the core of most modern extended reality (XR) and metaverse experiences. Recent studies have demonstrated that motion data have the potential to profile and deanonymize XR users, posing a threat to privacy in the metaverse.
-
Trustworthy AI Means Public AI [Last Word] IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-11-13 Bruce Schneier
Back in 1998, Sergey Brin and Larry Page introduced the Google search engine in an academic paper that questioned the ad-based business model of the time. They wrote: “We believe the issue of advertising causes enough mixed incentives that it is crucial to have a competitive search engine that is transparent and in the academic realm.” Although they didn’t use the word, their argument was that a search
-
Unusable Security for Attackers [From the Editors] IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-11-13 Mary Ellen Zurko
One of the things that makes security research different from other research is the presence of attackers, potentially or in actuality. The early research I was exposed to barely touched on the attacker. The Trusted Computer System Evaluation Criteria from the 1980s had hardly a whisper of functionality specifically for countering attacks, beyond auditing security relevant events. When we were researching
-
A Viewpoint on Knowing Software: Bill of Materials Quality When You See It IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-11-13 Santiago Torres-Arias, Dan Geer, John Speed Meyers
Software bills of materials (SBOMs) have become a required mechanism to communicate software supply chain information. However, even though they experience wide and increasing adoption, using them to improve supply chain security remains a challenge. We posit that, in order to achieve the intended goal of SBOMs, we must first develop mechanisms to measure their quality.
-
A Viewpoint on Software Supply Chain Security: Are We Getting Lost in Translation? IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-11-13 Marcela S. Melara, Santiago Torres-Arias
Many of the adoption challenges in securing the software supply chain are largely caused by the language we use to describe risk and defenses and other sociocultural gaps. We shed light on the impacts of these gaps and opportunities to overcome them.
-
A Viewpoint on Human Factors in Software Supply Chain Security: A Research Agenda IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-11-13 Marcel Fourné, Dominik Wermke, Sascha Fahl, Yasemin Acar
While securing dependencies and build systems is necessary, recent attacks have shown that developers are a commonly successfully attacked link in the chain. Therefore, a comprehensive approach that considers the human factor is crucial for effective software supply chain security.
-
Privacy-Preserving Machine Learning [Cryptography] IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-11-13 Florian Kerschbaum, Nils Lukas
Privacy challenges in machine learning can stem from leakage by the model or from distributed data sources. Differential privacy addresses model leakage and computation over encrypted data the other. During training cryptographic approaches need to be augmented with techniques such as federated learning.
-
Delta Security Certification for Software Supply Chains IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-09-22 Ákos Milánkovich, Katja Tuma
We developed and evaluated an industry-level tool to support practitioners in analyzing and visualizing delta-certification to aid small companies specializing in security evaluation of the software supply chain.
-
In Your Eyes IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-09-06 Tadayoshi Kohno
In mixed reality, will virtual content change our perception of the physical world?
-
Why Is Static Application Security Testing Hard to Learn? IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-09-06 Padmanabhan Krishnan, Cristina Cifuentes, Li Li, Tegawendé F. Bissyandé, Jacques Klein
In this article, we summarize our experience in combining program analysis with machine learning (ML) to develop a technique that can improve the development of specific program analyses. Our experience is negative. We describe the areas that need to be addressed if ML techniques are to be useful in the program analysis context. Most of the issues that we report are different from the ones that discuss
-
Lessons Learned on Machine Learning for Computer Security IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-09-06 Daniel Arp, Erwin Quiring, Feargus Pendlebury, Alexander Warnecke, Fabio Pierazzi, Christian Wressnegger, Lorenzo Cavallaro, Konrad Rieck
We identify 10 generic pitfalls that can affect the experimental outcome of AI driven solutions in computer security. We find that they are prevalent in the literature and provide recommendations for overcoming them in the future.
-
An Analysis of European Union Cybersecurity Higher Education Programs Through the Crowd-Sourced Database CyberHEAD IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-09-06 Konstantinos Adamos, Fabio Di Franco, Athanasios Grammatopoulos
In this work, we present an analysis of the data of the Cybersecurity Higher Education Database (CyberHEAD) of the European Union Agency for Cybersecurity (ENISA) to highlight the state of play in the European Union regarding the cybersecurity skills supply.
-
Convergence: Ongoing IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-09-06 Daniel E. Geer
Biology and artificial intelligence, two areas of rapid technical advance, are converging. By converging, I mean the two areas are on the hunt to solve steering problems that, if viewed in a particular light, are restatements each of the other.
-
Transient Execution Attacks IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-09-06 Frank Piessens
To rigorously study transient execution attacks, researchers have Id relatively simple processor models that nonetheless adequately model all relevant processor behavior. Based on these models, we provide an accessible explanation of the essence of this class of attacks.
-
Challenges of Producing Software Bill of Materials for Java IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-08-31 Musard Balliu, Benoit Baudry, Sofia Bobadilla, Mathias Ekstedt, Martin Monperrus, Javier Ron, Aman Sharma, Gabriel Skoglund, César Soto-Valero, Martin Wittlinger
Software bills of materials (SBOMs) promise to become the backbone of software supply chain hardening. We deep-dive into six tools and the SBOMs they produce for complex open source Java projects, revealing challenges regarding the accurate production and usage of SBOMs.
-
Journey to the Center of Software Supply Chain Attacks IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-08-21 Piergiorgio Ladisa, Serena Elisa Ponta, Antonino Sabetta, Matias Martinez, Olivier Barais
This article discusses open source software supply chain attacks and proposes a general taxonomy describing how attackers conduct them. We then provide a list of safeguards to mitigate such attacks. We present our tool Risk Explorer for Software Supply Chains to explore such information, and we discuss its industrial use-cases.
-
On Software Infrastructure: Develop, Prove, Profit? IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-07-25 Sean Peisert
Having infrastructure survive over very long stretches of time is a nontrivial task. This is either because such infrastructure needs to be built extremely well from the outset or because it requires ongoing maintenance. The former may require prohibitively large initial investments. The latter requires ongoing investment from public agencies over the span of decades or centuries despite the pendulum
-
Securing Critical Infrastructure Across Cyber and Physical Dimensions IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-07-25 Gabriela F. Ciocarlie, Jianying Zhou
Welcome to the IEEE Security & Privacy “Securing Critical Infrastructure Across Cyber and Physical Dimensions” special issue! This special issue focuses on research and practices for securing cyberphysical critical infrastructure.
-
Toward Common Weakness Enumerations in Industrial Control Systems IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-07-25 David M. Nicol, Gregory Shannon, Monika Akbar, Matt Bishop, Michael Chaney, Matthew Luallen
The storyline of MITRE’s common weakness enumeration framework illustrates how the security and privacy technical community can collaborate/cooperate with policy makers to advance policy, giving it specifics and filling gaps of technical knowledge to improve security and resilience of critical infrastructure.
-
Computing on Encrypted Data IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-07-25 Nigel Smart
The ability to compute on encrypted data is fast becoming a practical reality. We discuss the progress in four technologies which enable this: Trusted Execution Environments, Fully Homomorphic Encryption, Multi-Party Computation and Zero-Knowledge Proofs.
-
Is Cybersecurity Liability a Liability? IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-07-25 Steven M. Bellovin
One element of the Biden administration’s cybersecurity policy is liability for security failures. I’ve been saying for many years that this is an idea very much worth serious study—if implemented correctly, the market could work its magic and create incentives for software vendors to clean up their act. That said, there are a number of serious questions that have to be answered first—and the wrong
-
Challenges and Opportunities for Beyond-5G Wireless Security IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-07-13 Eric Ruzomberka, David J. Love, Christopher G. Brinton, Arpit Gupta, Chih-Chun Wang, H. Vincent Poor
The demand for broadband wireless access is driving research and standardization of 5G and beyond-5G wireless systems. In this article, we aim to identify emerging security challenges for these wireless systems and pose multiple research areas to address these challenges.
-
OpenSSF Scorecard: On the Path Toward Ecosystem-Wide Automated Security Metrics IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-06-26 Nusrat Zahan, Parth Kanakiya, Brian Hambleton, Shohanuzzaman Shohan, Laurie Williams
The OpenSSF Scorecard project is an automated tool to monitor the security health of open source software. This study evaluates the applicability of the Scorecard tool and compares the security practices and gaps in the npm and PyPI ecosystems.
-
Reconfigurable Digital Twin to Support Research, Education, and Training in the Defense of Critical Infrastructure IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-06-15 Aditya P. Mathur
A digital twin is a virtual system designed to reproduce the operation of a physical object. This work describes the architecture, deployment, and use of a reconfigurable digital twin to support research, education, and training in cybersecurity in the context of Industrial Control Systems.
-
Security-Enhancing Digital Twins: Characteristics, Indicators, and Future Perspectives IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-06-01 Matthias Eckhart, Andreas Ekelhart, David Allison, Magnus Almgren, Katharina Ceesay-Seitz, Helge Janicke, Simin Nadjm-Tehrani, Awais Rashid, Mark Yampolskiy
The term digital twin (DT) has become a key theme of the cyber-physical systems (CPSs) area while remaining vaguely defined as a virtual replica of an entity. This article identifies DT characteristics essential for enhancing CPS security and discusses indicators to evaluate them.
-
On Bridges and Software IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-05-26 Trent Jaeger
Lately, I have been thinking about how the lessons of traditional engineering disciplines may be leveraged to develop more secure software. In particular, I have been thinking about how designing bridges to avoid failure may help us to develop software in a manner that avoids introducing exploitable flaws.
-
Impact of Emerging Hardware on Security and Privacy IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-05-26 Trent Jaeger, Brent ByungHoon Kang, Nele Mentens, Cynthia Sturton
The articles in this special issue focus on ongoing research efforts in the development, use, and evaluation of emerging hardware features and techniques to improve system security. We have seen the emergence of new hardware features to improve software security by limiting memory access within an address space, such as Intel’s memory protection keys (MPKs) and extended page table (EPT) switching,
-
Electric Sheep on the Pastures of Disinformation and Targeted Phishing Campaigns: The Security Implications of ChatGPT IEEE Secur. Priv. (IF 1.9) Pub Date : 2023-05-26 Kacper T. Gradonm
This article explores the potential for the criminal abuse and hybrid-warfare weaponization of ChatGPT technology. The focus is placed on the opportunities for the possible utilization of such tools by malign actors who engage in the orchestration and running of targeted phishing campaigns or who design, produce and propagate disinformation. The author raises the question about the ethical, moral and