As part of a collaborative long-term research project in human±computer interaction (HCI), the use of electronic archiving was studied by making pre-publication material available over the Internet, through anonymous FTP directories and pages on the World Wide Web. The archive was designed to ful® l two aims. First, it was a live experim ent in computer supported co-operative work. Documents we...

Security problems like sql code injection and cross-site scripting vulnerabilities can be traced to the, common, use of unstructured strings to represent structured data and code. This paper gives an explanation of the issue, and develops and discusses an alternative generic encoding for structured string data that, by adding an appropriate, yet minimal layer of abstraction for meta-information...

Session cookies constitute one of the main attack targets against client authentication on the Web. To counter these attacks, modern web browsers implement native cookie protection mechanisms based on the HttpOnly and Secure flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been proved about the security guarantees they convey. ...

It is now widely believed that FlexRay communication protocol will become the de-facto standard for distributed safety-critical automotive systems. In this paper, the fault sensitivity of the FlexRay communication controller registers are investigated using transient single bit-flip fault injection. To do this, a FlexRay bus network, composed of four nodes, was modeled. A total of 135,600 trans...

The Kirchhoff-law-Johnson-noise (KLJN) scheme is a statistical/physical secure key exchange system based on the laws of classical statistical physics to provide unconditional security. We used the LTSPICE industrial cable and circuit simulator to emulate one of the major active (invasive) attacks, the current injection attack, against the ideal and a practical KLJN system, respectively. We show...

This paper proposes an approach to facilitate the identification of actual input manipulation vulnerabilities via automated testing based on static analysis. We implemented a prototype of a SQL injection vulnerability detection tool, SQLUnitGen, which we compared to a static analysis tool, FindBugs. The evaluation results show that our approach can be used to locate precise vulnerable locations...

We present a feasibility study to protect smart card software against fault-injection attacks by means of binary code rewriting. We implemented a range of protection techniques in a link-time rewriter and evaluate and discuss the obtained coverage, the associated overhead and engineering effort, as well as its practical usability.

The security of low-end embedded systems became a very important topic as they are more connected and pervasive. This thesis explores software attacks in the context of embedded systems such as wireless sensor networks. These devices usually employ a micro-controller with very limited computing capabilities and memory availability, and a large variety of architectures. In the first part of this...

This paper presents an experimental study of the fault sensitivity of four programs included in the MiBench test suit. We investigate their fault sensitivity with respect to hardware faults that manifest as single bit flips in main memory locations and instruction set architecture registers. To this end, we have conducted extensive fault injection experiments with two versions of each program, ...

Linear codes with complementary duals (abbreviated LCD) are linear codes whose intersection with their dual are trivial. When they are binary, they play an important role in armoring implementations against side-channel attacks and fault injection attacks. Non-binary LCD codes in characteristic 2 can be transformed into binary LCD codes by expansion. In this paper, we introduce a general constr...