Accepted Papers

FIDO2's passkey aims to provide a passwordless authentication solution. It relies on two main protocols -- WebAuthn and CTAP2 -- for authentication in computer systems, relieving users from the burden of using and managing passwords.

FIDO2's passkey leverages asymmetric cryptography to create a unique public/private key pair for website authentication. While the public key is kept at the website/application, the private key is created and stored on the authentication device designated as the authenticator. The authenticator can be the computer itself -- same-device signing --, or another device -- cross-device signing --, such as an Android smartphone that connects to the computer through a short-range communication method (NFC, Bluetooth).

Authentication is performed by the user unlocking the authenticator device.

In this paper, we report on the digital forensic artifacts left on Windows 11 systems by registering and using passkeys to authenticate on websites. We show that digital artifacts are created in Windows Registry and Windows Event Log.

These artifacts enable the precise dating and timing of passkey registration, as well as the usage and identification of the websites on which they have been activated and utilized. We also identify digital artifacts created when Android smartphones are registered and used as authenticators in a Windows system. This can prove useful in detecting the existence of smartphones linked to a given individual.

Reusable software components, typically integrated as libraries, are a central paradigm of modern software development. 
By incorporating a library into their software, developers trust in its quality and its correct and complete implementation.
Since errors in a library affect all applications using it, there is a need for quality assurance tools such as automated testing that can be used by library and application developers to verify the functionality.
In the past decade, many different systems have been published that focus on the automated analysis of TLS implementations for finding bugs and security vulnerabilities.

However, all of these systems focus only on few TLS components and lack a common analysis scenario and inter-approach comparisons.
Especially, the amount of manual effort required across the whole analysis process to obtain the root cause of an error is often ignored.
In this paper, we survey and categorize literature on automated testing approaches for TLS libraries.
The results reveal a heterogeneous landscape of approaches with a trade-off between the manual effort required for setup and for result interpretation, along with major deficits in the considered performance metrics.
These imply important future directions which need to be followed to advance the current state of protocol test automation

Cybersecurity’s constantly evolving field demands defense mechanisms’ continuous development and refinement. Memory corruption attacks, including buffer overflows and use-after-free vulnerabilities, have long been a significant threat, especially for web browsers. Microsoft introduced Control Flow Guard (CFG) as a mitigative measure against advanced exploitation techniques, like ROP and use-after-free-based exploits, to address these risks. This paper delves into the internals of CFG, its implementation, effectiveness, and possible bypasses that could undermine its security. A thorough examination of Microsoft’s CFG design principles gives the reader an in-depth understanding of how CFG enforces control flow integrity within a program’s execution. The limitations of this mitigation are highlighted by employing a direct return address overwrite to exploit the ChakraCore JavaScript engine.

Additional potential bypasses are investigated, considering other scenarios wherein CFG might get circumvented. This exploration emphasizes the importance of continued research and development in the field of exploit mitigation, and the chaining of multiple mitigations to address evolving threats and maintain the security and integrity of modern software.

In conclusion, the paper discusses the Windows CFG and its ramifications on memory corruption attacks. It manifests the effectiveness against specific exploitation methods while spotlighting limitations and potential bypasses that could jeopardize its security.

Machine learning (ML) models are used in many safety and security-critical applications nowadays. It is therefore of interest to measure the security of a system that uses ML as its component.

This paper deals with the field of ML, especially security on autonomous vehicles. For this purpose, the concept of a technical framework will be described, implemented, and evaluated in a case study. Based on ISO/IEC 27004:2016, risk indicators are utilized to measure and evaluate the extent of damage and the effort required by an attacker. It is not possible, as assumed, to determine a risk value that represents the attacker's effort. Therefore, four different values must be interpreted individually.

Reversible network covert channels are a security threat that allows its users to restore the carrier object before sending it to the overt receiver, drawing detection challenging. Some of these covert channels utilize computational intensive operations, such as the calculation of cryptographic hash chains. Currently, these computational intensive reversible covert channels are considered difficult to detect.
This paper proposes ways of utilizing shape analysis of packet runtime distributions to detect such computational intensive covert channels. To this end, we simulated the latency of traffic modified by a hash-chain based covert channel by adding mock hash-reconstruction runtimes to runtimes of legitimate ping traffic. After qualitatively observing the changes in the empirical probability distribution between modified and natural traffic, we investigated machine learning algorithms for their ability to detect the covert channel’s presence. We show that a decision tree-based AdaBoost classifier using the investigated statistical measures as input vector and a convolutional neural network applied directly to the packet runtime empirical probability distribution are able to classify sets of 50 ping measurements with high accuracy for low to medium high latency connections. Our approach improves significantly over previous work done on the detection of computational intensive covert
channels as our approach both requires smaller sampling window sizes and achieves significantly higher detection rates on the same reference dataset.

The key to secure implementation of the Self-Sovereign Identity (SSI) model in IoT nodes is the Key Management System (KMS). A KMS for a large number of identity key pairs, bound to an appropriate combination of the IoT node hardware and firmware, and possibly running in a Trusted Execution Environment to ensure a high level of trust in the isolation, access control, and validity of key material and cryptographic operations. This paper presents the design of a novel KMS for SSI native IoT nodes, which adapts the principles of the deterministic key hierarchy used by cryptocurrency wallets to provide trusted key pair generation and usage to any SSI framework.

The implementation of the identity path and identity key derivation algorithm on a constrained IoT node demonstrates the feasibility of the design.

In IoT applications, embedded devices acquire and transmit data to control and optimize industrial processes. In order to trust this data, the trustworthiness of the data acquisition system, such as the sensors and the integrated signal processing components, is a crucial requirement. Software authenticity is provided with concepts like measured boot. Expanding authenticity to hardware components requires and motivates new approaches like hardware fingerprinting.

In this paper, we review and systematize current research and trends in hardware fingerprinting. We provide insights to current research directions by reviewing multiple survey and review papers and derive a common definition for fingerprinting based on the reviewed literature.

We identify three different fingerprinting techniques: Hardware Fingerprinting, Behavior Fingerprinting and Radio Frequency Fingerprinting, which can be used for multiple application scenarios. By decomposing a common embedded system architecture, we provide four trust domains from which we can create a hardware fingerprint: Main Processing Domain, On-Device Communication Domain, Peripheral Domain and Environmental Domain.

With this in mind, a new fingerprinting taxonomy is developed, taking into account different data sources and evaluation techniques. We distinguish between intrinsic and extrinsic data sources and direct and indirect data evaluation.

In order to get an understanding of the scope of the fingerprinting techniques w.r.t. their trust domain and application scenarios, a new categorization model is created which binds the data sources to a physical asset of the device, thus making it possible to determine to what extend a device's components can be trusted and in which applications it may be applicable.

Increasing cyber attacks underscore the importance of addressing system vulnerabilities to reduce security risks. To structure our workflow of vulnerability management, we made use of relevant and widely adopted industrial standards, while also incorporating the concept of digital twins. Therefore, this research suggests a vulnerability management digital twin that aligns with the ISO 23247-2 framework. It specifically emphasizes recommendations for the ‘data collection’ function following the workflow outlined in IEC 62443-2-3, and exemplifying use cases based on a typical automation architecture of energy systems. We evaluated the CVSS framework to prioritize scores and also examined ways to integrate CVSS with other contextual information to develop a mitigation deployment strategy. The goal was to assist asset owners in optimizing resource utilization in addressing vulnerabilities.

Digitalization of society brought improvement in many aspects of life but it also brought new cybersecurity challenges. The number of sophisticated, targeted cyber attacks is increasing, which requires constant improvements in Cybersecurity education. Despite this pressing need, the cybersecurity workforce gap is getting bigger. This paper presents a new approach for dynamic cybersecurity curriculum development that utilizes keyword extraction from various sources such as job ads, courses, and curricula with machine learning to quantify curriculum alignment with cybersecurity industry demands and address the workforce gap. The analysis illustrates curricula in the Central East Europe (CEE) region, maps cyber security job ads to curricula and quantifies coverage of courses, industry, and reference framework topics based on keyword matching. The case study conducted with curricula from CEE illustrates coverage according to the ENISA’s European Cybersecurity Skills Framework (ECSF) roles and optimization progress after adjustment application. The results demonstrate the importance of dynamic curriculum updates for academic institutions including cybersecurity workforce gap reduction and lack of real progress towards alignment with ECSF.

The fairness of Artificial Intelligence (AI) has gained tremendous attention within the criminal justice system in recent years, mainly when predicting the risk of recidivism. The primary reason is attributed to evidence of bias towards demographic groups when deploying these AI systems. Many proposed fairness-improving techniques applied at each of the three phases of the fairness pipelines, pre-processing, in-processing and post-processing phases, are often ineffective in mitigating the bias and attaining high predictive accuracy. This paper proposes a novel approach by integrating existing fairness-improving techniques: Reweighing, Adversarial Learning, Disparate Impact Remover, Exponential Gradient Reduction, Reject Option-based Classification, and Equalized Odds optimization across the three fairness pipelines simultaneously. We evaluate the effect of combining these fairness-improving techniques on enhancing fairness and attaining accuracy. In addition, this study uses multi- and bi-objective optimization techniques to provide and to make well-informed decisions when predicting the risk of recidivism. Our analysis found that one of the most effective combinations (i.e., disparate impact remover, adversarial learning, and equalized odds optimization) demonstrates a substantial enhancement and balances achievement in fairness through various metrics without a notable compromise in accuracy.

Incident management in telecom and computer networks requires correlating and interpreting heterogeneous technical information sources. While knowledge graphs have proven flexible for data integration and logical reasoning, their use in network and cybersecurity monitoring systems (NMS/SIEM) is not yet widespread. In this work, we explore the integration of knowledge graphs to facilitate the diagnosis of complex situations from the perspective of NetOps/SecOps experts who use NMS/SIEMs. Through expert interviews, we identify expectations in terms of ergonomics and decision support functions, and propose a Web-based client-server software architecture using an RDF knowledge graph that describes network systems and their dynamics. Based on a UI/UX evaluation and feedback from a user panel, we demonstrate the need to go beyond simple data retrieval from the knowledge graph. We also highlight the importance of synergistic reasoning and interactive analysis of multi-layered systems. Overall, our work provides a foundation for future designs of knowledge-graph-based NMS/SIEM decision support systems with hybrid logical/probabilistic reasoning.

Transport Layer Security protocol is widely used nowadays to secure communication channels in various applications running in network, IoT, and embedded systems environments. In the last decade, several attacks affecting the TLS specification, the implementation, the cryptographic vulnerabilities, or the deployment of the TLS-enabled software have been discovered. Although solutions exist for each class of attacks, an attacker may corrupt the TLS support on an end node (even temporarily) making it vulnerable to attacks. To test the resistance of a TLS server to attacks several tools or services exist, that mainly scan a target host looking for wrong configurations. We propose instead a network-based intrusion detection tool named Threat-TLS, aimed to individuate weak, suspicious, or malicious TLS connections. Attackers might establish such connections to hide and distribute potentially dangerous data content, like malware. Alternatively, weak TLS connections could be opened by (legitimate) systems or servers that have been compromised and are prone to TLS attacks, such as systems whose TLS configuration has been changed to use an old TLS version or outdated cryptographic algorithms. We have tested the proposed tool in a testbed environment, illustrating its performance in detecting some TLS attacks.

Time is an often recurring quasi-identifying attribute in many datasets. Anonymizing such datasets requires generalizing the time attribute(s) in the dataset. Examples are start dates and durations, which are traditionally generalized leading to intervals that do not embrace the relation between time attributes. This paper presents advanced methods for creating generalization hierarchies for time data. We propose clustering-based and Mondrian-based techniques to construct generalization hierarchies. These approaches take into account the relation between different time attributes and are designed to improve the utility of the anonymized data. We implemented these methods and conducted a set of experiments comparing them to traditional generalization strategies. The results show that our proposed methods improve the utility of the data for both statistical analysis and machine learning applications. Our approach demonstrates a significant increase in hierarchy quality and configuration flexibility, demonstrating the potential of our advanced techniques over existing methods.

Implementing strong authentication methods in a network requires stable connectivity between the service providers deployed within the network (i.e., applications that users of the network need to access) and the Identity and Access Management (IAM) server located at the core segment of the network. This becomes challenging when it comes to Operational Technology (OT) systems deployed in a remote area, as they often get disconnected from the core segment of the network owing to unavoidable network disruptions. As a result, weak authentication methods and shared credential approaches are still adopted in these OT environments, exposing system vulnerabilities to increasingly sophisticated cyber threats. In this work, we propose a solution to enable highly available multi-factor authentication (MFA) services for OT environments. The proposed solution is based on Proof-of-Possession (PoP) tokens generated by an IAM server for registered users. The tokens are securely linked to user-specific parameters (e.g., physical security keys, biometrics, PIN, etc.), enabling strong user authentication (during disconnection time) through token validation. We deployed the Tamarin Prover software-based toolkit to verify security of the proposed authentication scheme. For performance evaluation, we implemented the designed solution in real-world settings. The results of our analysis and experiments confirm the efficacy of the proposed solution.

DocExploit team creates innovative and high-quality cybersecurity solutions to meet the increasing security needs of the digital transformation process and Industry4.0.

DocExploit activity focuses on developing different tools to ensure the security of software applications and container environment: the first and core tool is DocSpot which detects vulnerabilities in application source code, Docdocker scans for vulnerabilities in containers and SirDocker manages and monitors containers efficiently and securely. In addition, we project to develop DocIoT (part of firmware), DocAPI (secure API) and DocAir (runtime security) to offer a comprehensive cybersecurity suite over the software supply chain and to support developers holding security as a key component over the Software Development life-cycle.

To prevent cybersecurity attacks, DocExploit wants to improve the quality and security of software mainly by leveraging knowledge graph technology. We design reliable tools by building a semantic graph-based abstraction of the code from the compiler state and reach high accuracy by developing different static code analyzers optimizing the detection of software vulnerabilities in the source code and dependencies. Those mechanisms allow for drastically reducing false positives.

In this workshop paper, we will introduce the different tools composing the suite we are developing to foster developers' autonomy and security automation over the software supply chain. The vulnerability detection tool in the source code, by leveraging the knowledge graph technology, will be detailed. The related work comes from BALDER a national R&D project. Finally, we describe the contributions to improving security in software and IoT applications, and expose the expected benefits.

In this paper, we deal with the deployment of Post-Quantum Cryptography (PQC) in Internet of Things (IoT). Concretely, we focus on the MQTT (Message Queuing Telemetry Transport) protocol that is widely used in IoT services. The paper presents our novel quantum-resistant security proposal for the MQTT protocol that supports secure broadcast. Our solution omits using TLS with the handshake causing delay and is suitable for sending irregular short messages. Finally, we show how our solution can practically affect concrete use cases by the performance results of the proposed solution.

Vehicles are taking a major step towards connected transportation with advanced applications and robust security frameworks. Despite growth in networking potential in the automotive industry, security and privacy vulnerabilities continue to plague the industry. Internet of Vehicles, one of the subsets of cyber-physical systems, can utilize smart sensors to collect and synthesize data from connected vehicles. This technological development contributes to seamless information exchange between drivers, manufacturers, insurers, and service providers. For effective IoV systems, optimizing spectrum usage, allocating quality channels judiciously, and using infrastructure efficiently to maintain connectivity under changing traffic conditions are essential. However, security and privacy remain the main concerns of these communication networks. With the advent of blockchain technology, the world of cryptocurrency transactions can benefit from a secure communication framework that can alleviate these concerns. We propose integrating blockchain technology into IoV infrastructure in order to facilitate secure, reliable, and trust-enhancing communication between vehicles. We utilize a distributed access control system in order to ensure scalable and strategic decision-making processes. Our results and evaluation show that the use of distributed storage across cloud platforms helps enhance data security, enabling vehicles to exchange information safely.

There is a growing concern about the dynamic landscape of cyber security threats escalating, and the need for improvement in defence capabilities against emerging sophisticated incidents. In response, this paper presents a solution called the Cyber Incident Simulation System, which enables system security engineers to simulate cyber-physical attacks and incidents without the requirement to affect or disrupt the ongoing business operation of the system. Leveraging graph-based threat modelling and AI-generated incident data, the system empowers professionals to predict the effect of the incident within the system under study. The synthetic data is used by anomaly-based Intrusion Detection Systems (IDSs) and other additional security controls to improve their detection algorithms to enhance their accuracy and effectiveness. The Cyber Incident Simulation System is designed to enhance the cyber security measures through the simulation of various incident scenarios.

Artificial intelligence systems like large language models (LLM) source their knowledge from large datasets. Systems like ChatGPT therefore rely on shared data to train on. For enterprises, releasing data to the public domain requires anonymization as soon as a individual is identifiable. While multiple privacy models exist that guarantee a specific level of distortion applied to a dataset, to mitigate re-identification with e.g. k-anonymity, the required level is in general defined by the data processor. We propose the idea to combine individual privacy levels defined by the data subjects themselves with a privacy language such as LPL (Gerl et al., 2018) to get a more fine-granular understanding of the effectively required privacy level. Queries targeting subsets of the to be released dataset can only profit from lower privacy requirements set by data subjects as these response subsets may do not contain users with high privacy requirements, which can then lead to more utility. By analyzing the results of different queries directed at a privacy-aware data-transforming database system, we demonstrate the characteristics needed for this assumption to really take effect. For a more realistic evaluation we also take changes of the underlying data sources in consideration.

Innovations in technology bring new challenges that need to be addressed, especially in the field of technical artifact discovery and analysis that enables digital forensic practitioners. Digital forensic analysis of these innovations is a constant challenge for digital investigators. In the rapidly evolving landscape of Artificial Intelligence ( AI), keeping up with the digital forensic analysis of each new tool is a difficult task. New, advanced Large Language Model (LLM)s can produce human-like artifacts because of their complex textual processing capabilities. One of the newest innovations is a multi-agent LLM framework by Microsoft called AutoGen. AutoGen enables the creation of a team of specialist LLM-backed agents where the agents "chat" with each other to plan, iterate, and determine when a given task is complete. Typically one of the agents represents the human user while the other agents work autonomously after the human gives each agent a responsibility on the team. Thus, from a digital forensics perspective, it is necessary to determine which artifacts are created by the human user and which artifacts are created by the autonomous agents. Analysis in this work indicates that the current implementation of AutoGen has little in artifacts for attribution outside of particular memory artifacts, yet has strong indicators of usage in disk and network artifacts. Our research provides the initial account on the digital artifacts of the LLM technology AutoGen and first artifact examination for a LLM framework.

In the rapidly evolving digital healthcare landscape, the imperative for robust, flexible, and scalable data protection solutions has never been more critical. The advent of sophisticated cyber threats, coupled with the increasing complexity of healthcare IT infrastructures, underscores the necessity for advanced security mechanisms that can adapt to a wide range of challenges without compromising the accessibility or integrity of sensitive healthcare data. Within this context, our work introduces the SECANT Privacy Toolkit, a pioneering approach that harnesses the power of Proxy Re-Encryption (PRE) to redefine healthcare data security. We present an implementation prototype that not only serves as a baseline for the quantitative evaluation of healthcare data protection but also exemplifies the SECANT Toolkit's capability to enhance interoperability across disparate healthcare systems, strengthen authentication mechanisms, and ensure scalability amidst the growing data demands of modern healthcare networks. This prototype underscores our commitment to addressing the multifaceted security needs of the healthcare sector by providing a solution that is both comprehensive and adaptable to the dynamic landscape of digital health information security.By integrating cutting-edge cryptographic technologies, including Attribute-Based Encryption (ABE) and Searchable Encryption (SE), with the flexibility and control offered by PRE, the SECANT Privacy Toolkit stands at the forefront of secure and efficient healthcare data management. This integration facilitates not only the secure exchange of data across decentralized networks but also empowers healthcare providers with tools for fine-grained access control and privacy-preserving data searches, thereby addressing key challenges such as data interoperability, cybersecurity threats, and regulatory compliance.Our exploration reveals the toolkit's potential to revolutionize the way healthcare data is protected, shared, and accessed, providing a scalable, efficient, and user-friendly platform for healthcare providers, patients, and stakeholders. The SECANT Privacy Toolkit not only aligns with current healthcare data security requirements but also anticipates future challenges, ensuring that it remains a vital asset in the ongoing effort to safeguard sensitive healthcare information. This work contributes significantly toward enhancing the security and privacy of healthcare data, offering a robust framework for interoperability, authentication, and scalability that responds to the evolving needs of the healthcare industry. Through the deployment of our prototype and the subsequent evaluation, we aim to demonstrate the practicality, effectiveness, and transformative potential of the SECANT Privacy Toolkit in advancing healthcare data protection.

This is a work-in-progress paper on detecting if a text was written by humans or generated by a language model. In our case study, we focused on email messages. For experiments, we used a mixture of publicly available email datasets with our in-house data, containing in total over 10k emails. Then, we generated their "copies" using large language models (LLMs) with specific prompts. We experimented with various classifiers and feature spaces. We achieved encouraging results, with F1-scores of almost 0.98 for email messages in English and over 0.92 for the ones in Polish, using Random Forest as a classifier. We found that the detection model relied strongly on typographic and orthographic imperfections of the analyzed emails and on statistics of sentence lengths. We also observed the inferior results obtained for Polish, highlighting a need for research in this direction.

The evolution of authentication mechanisms in ensuring secure access to systems has been crucial for mitigating vulnerabilities and enhancing system security. However, despite advancements in two-factor authentication (2FA) and multi-factor authentication (MFA), authentication mechanisms remain weak in system security, particularly when individuals accessing critical systems are involved. In response to this challenge, we propose a novel blockchain-based multi-factor dynamic authentication mechanism (BMFA) that integrates honeytoken technology to enhance security. Our proposed mechanism leverages Ethereum blockchain technology and smart contracts to provide a decentralized and robust authentication framework. By incorporating honeytokens into smart contracts, we introduce a dynamic layer of security that continuously adapts to prevent potential attacks. Our evaluation demonstrates that our BMFA mechanism effectively addresses various security challenges, including brute force attacks, man-in-the-middle attacks, and smart contract vulnerabilities, while providing robust protection against unauthorized access. Our findings emphasise the efficacy of the BMFA mechanism in enhancing system security and mitigating evolving threats in authentication processes for next-generation critical industrial control systems.