, University of Southern California Information Sciences Institute
Abstract—To bring some of the IEEE Symposium on Security and Privacy Workshops to a wider audience, IEEE Security & Privacy magazine's editorial board decided to devote one special issue each year to a reprise of selected symposium papers. This year, the special issue focuses on two of the Security and Privacy Workshops held in conjunction with the symposium. Three articles discuss security in Web systems, and the fourth describes the emerging field of privacy engineering and the motivation, content, and results of the first workshop on this topic.
Keywords—symposium; security; privacy; IEEE Symposium on Security and Privacy; Security and Privacy Workshops; W2SP; IWPE
For 37 years, the IEEE Symposium on Security and Privacy has been the premier forum for presenting computer security and electronic privacy developments and for bringing together leading researchers and practitioners. The topics covered at the symposium have varied over the years, but the work presented has always been considered some of the best, most timely research in the field.
For the past 10 years, the symposium has also included associated workshops. The workshops expand opportunities for scientific exchange covering a specific aspect of security and privacy in more detail and providing a forum for presentation of work in its early stage. These workshops are co-located with the symposium, and the number of workshops and attendees has grown steadily over recent years.
In an effort to bring some of the symposium and the workshops to a wider audience, IEEE Security & Privacy magazine's editorial board devotes one special issue each year to a reprise of selected papers. The first special issue to do this was IEEE S&P vol. 12, no. 3, highlighting papers from the 2013 symposium; we repeated this process in IEEE S&P vol. 13, no. 2, highlighting papers from the 2014 symposium. This year, we've decided to spotlight the 2015 Security and Privacy Workshops (SPW).
We surveyed the five workshops that made up the 2015 SPW and decided on two—one in its ninth year, Web 2.0 Security and Privacy (W2SP; http://ieee-security.org/TC/SPW2015/W2SP), and one in its first year, the International Workshop on Privacy Engineering (IWPE; http://ieee-security.org/TC/SPW2015/IWPE). Together with the workshop organizers, we invited authors to submit revised articles targeted to the broader magazine audience and enhanced with new results since the original papers’ publication. We consulted with SPW program chairs and chose papers based on general interest and accessibility. Capitalizing on the strength of the community as embodied by the symposium and associated workshops as well as the magazine and the worldwide attention to cybersecurity, we selected four articles from the 2015 SPW.
Three of the articles are from W2SP, which focuses on uniting researchers, practitioners, Web programmers, policymakers, and others interested in the latest advances in the security and privacy of the Web, browsers, cloud, mobile devices, and their ecosystem. This topic continues to grow in importance as society moves to an ever more Web-based paradigm.
The fourth paper in this special issue is from IWPE. Motivated by both events surrounding privacy breaches and increasing legislation and standards aimed at strengthening individuals’ privacy, the workshop focused on all aspects of privacy engineering, ranging from theoretical foundations, engineering approaches, and support infrastructures to practical application in projects of different scale.
The three W2SP articles address a range of security and privacy issues in modern Web design and deployment. The article “Bake in .onion for Tear-Free and Stronger Website Authentication,” by Paul Syverson and Griffin Boyce, describes a new approach to basic website authentication that they argue can be easier, faster, cheaper, and more secure than existing alternatives. What makes this article especially interesting is that their proposed technique makes new use of the well-established Tor infrastructure, which provides anonymous Internet access. In their article, the authors describe how Tor .onion services can be securely combined to provide website authentication. The authors demonstrate the techniques through an example based on PGP (Pretty Good Privacy) that, while manual in nature, could be employed today. They also describe an automated approach that requires modifications to certificates for the .onion domain. Given both the prevalence of Web authentication issues and the growing number of Tor users, this article has the potential for significant application.
Assuming effective authentication of websites, we're still faced with malicious attacks on the content being served by websites. “Stickler: Defending against Malicious Content Distribution Networks in an Unmodified Browser,” by Amit Levy, Henry Corrigan-Gibbs, and Dan Boneh, addresses threats that arise from the increasing use of content distribution networks (CDNs) to serve static website information. Unfortunately, many website developers don't appreciate that CDN use, although beneficial for reducing load and latency and managing traffic spikes, can potentially increase risk for users. In this article, the authors describe a prototype system called Stickler that allows website publishers to guarantee their content's integrity even in the face of malicious CDNs. The prototype has been deployed on a local university website, and the authors collected data to demonstrate Stickler's effectiveness.
The third article in the W2SP workshop series, “Analysis and Mitigation of NoSQL Injections,” by Aviv Ron, Alexandra Shulman-Peleg, and Anton Puzanov, addresses security issues with backing website data storage. NoSQL databases have seen increasing use in big data and real-time Web applications. However, these systems typically lack security measures. This is ironic because previous systems were subject to SQL injection attacks, and one might think moving to a NoSQL data store would improve security. Unfortunately, these systems present new opportunities for attackers to inject malicious code. This article identifies attack vectors for NoSQL systems and describes methodologies to mitigate attacks. Although there are some initial reports of NoSQL injection techniques in the literature, this article extends early work and aims to increase threat awareness. In addition, it outlines several important approaches to mitigating security risks in NoSQL deployments across three broad phases: development and testing, secure deployment, and monitoring and detection.
Web services’ continuing vulnerability is evidenced in these three articles as well as the other workshop papers. W2SP has been working to bring these issues to the research community since the early days of Internet Web technology.
The final paper in this special issue comes from the first IWPE. The addition of this workshop to the symposium not only indicates privacy's importance as a topic but also provides hope that there will be an emerging discipline on creating privacy-preserving systems. The article, “Privacy Engineering: Shaping an Emerging Field of Research and Practice,” by Seda Gürses and Jose M. del Alamo, describes privacy engineering; why the practice area emerged and is relevant now; what it encompasses; how the workshop came about; and which topics were explored in the first of hopefully many more workshops on the topic. The authors’ premise is that although there's a growing understanding of privacy as a first-class notion in systems, the response has largely been that of craftsmanship rather than engineering. They argue that few existing efforts are based on generalization and systemization of knowledge. Thus, the workshop focused on developing an engineering practice informed by systematic research.
The second IWPE will be held in conjunction with the 37th IEEE Symposium on Security and Privacy on 23–25 May 2016 (www.ieee-security.org/TC/SP2016). I’m sure the community looks forward to hearing more about this important topic.
I hope that by spotlighting portions of the symposium workshops, IEEE S&P enhances the value of both the symposium and the magazine to the community. I look forward to seeing you at the symposium if you're able to attend and connecting with you through the pages of the magazine throughout the year.