-
Your Vulnerability Disclosure Is Important To Us: An Analysis of Coordinated Vulnerability Disclosure Responses Using a Real Security Issue
Authors:
Koen van Hove,
Jeroen van der Ham-de Vos,
Roland van Rijswijk-Deij
Abstract:
It is a public secret that doing email securely is fraught with challenges. We found a vulnerability present at many email providers, allowing us to spoof email on behalf of many organisations. As email vulnerabilities are ten a penny, instead of focusing on yet another email vulnerability we ask a different question: how do organisations react to the disclosure of such a security issue in the wil…
▽ More
It is a public secret that doing email securely is fraught with challenges. We found a vulnerability present at many email providers, allowing us to spoof email on behalf of many organisations. As email vulnerabilities are ten a penny, instead of focusing on yet another email vulnerability we ask a different question: how do organisations react to the disclosure of such a security issue in the wild? We specifically focus on organisations from the public and critical infrastructure sector who are required to respond to such notifications by law. We find that many organisations are difficult to reach when it concerns security issues, even if they have a security contact point. Additionally, our findings show that having policy in place improves the response and resolution rate, but that even with a policy in place, half of our reports remain unanswered and unsolved after 90~days. Based on these findings we provide recommendations to organisations and bodies such as ENISA to improve future coordinated vulnerability disclosure processes.
△ Less
Submitted 12 December, 2023;
originally announced December 2023.
-
Differentially-Private Decision Trees and Provable Robustness to Data Poisoning
Authors:
Daniël Vos,
Jelle Vos,
Tianyu Li,
Zekeriya Erkin,
Sicco Verwer
Abstract:
Decision trees are interpretable models that are well-suited to non-linear learning problems. Much work has been done on extending decision tree learning algorithms with differential privacy, a system that guarantees the privacy of samples within the training data. However, current state-of-the-art algorithms for this purpose sacrifice much utility for a small privacy benefit. These solutions crea…
▽ More
Decision trees are interpretable models that are well-suited to non-linear learning problems. Much work has been done on extending decision tree learning algorithms with differential privacy, a system that guarantees the privacy of samples within the training data. However, current state-of-the-art algorithms for this purpose sacrifice much utility for a small privacy benefit. These solutions create random decision nodes that reduce decision tree accuracy or spend an excessive share of the privacy budget on labeling leaves. Moreover, many works do not support continuous features or leak information about them. We propose a new method called PrivaTree based on private histograms that chooses good splits while consuming a small privacy budget. The resulting trees provide a significantly better privacy-utility trade-off and accept mixed numerical and categorical data without leaking information about numerical features. Finally, while it is notoriously hard to give robustness guarantees against data poisoning attacks, we demonstrate bounds for the expected accuracy and success rates of backdoor attacks against differentially-private learners. By leveraging the better privacy-utility trade-off of PrivaTree we are able to train decision trees with significantly better robustness against backdoor attacks compared to regular decision trees and with meaningful theoretical guarantees.
△ Less
Submitted 12 October, 2023; v1 submitted 24 May, 2023;
originally announced May 2023.
-
An Agent-based Approach to Automated Game Testing: an Experience Report
Authors:
I. S. W. B. Prasetya,
Fernando Pastor Ricós,
Fitsum Kifetew,
Davide Prandi,
Samira Shirzadeh-hajimahmood,
Tanja E. J. Vos,
Premysl Paska,
Karel Hovorska,
Raihana Ferdous,
Angelo Susi,
Joseph Davidson
Abstract:
Computer games are very challenging to handle for traditional automated testing algorithms. In this paper we will look at intelligent agents as a solution. Agents are suitable for testing games, since they are reactive and able to reason about their environment to decide the action they want to take. This paper presents the experience of using an agent-based automated testing framework called \ivx…
▽ More
Computer games are very challenging to handle for traditional automated testing algorithms. In this paper we will look at intelligent agents as a solution. Agents are suitable for testing games, since they are reactive and able to reason about their environment to decide the action they want to take. This paper presents the experience of using an agent-based automated testing framework called \ivxr\ to test computer games. Three games will be discussed, including a sophisticated 3D game called Space Engineers. We will show how the framework can be used in different ways, either directly to drive a test agent, or as an intelligent functionality that can be driven by a traditional automated testing algorithm such as a random algorithm or a model based testing algorithm.
△ Less
Submitted 11 November, 2022;
originally announced November 2022.
-
IMPRESS: Improving Engagement in Software Engineering Courses through Gamification
Authors:
Tanja E. J. Vos,
I. S. W. B. Prasetya,
Gordon Fraser,
Ivan Martinez-Ortiz,
Ivan Perez-Colado,
Rui Prada,
Jose Rocha,
Antonio Rito Silva
Abstract:
Software Engineering courses play an important role for preparing students with the right knowledge and attitude for software development in practice. The implication is far reaching, as the quality of the software that we use ultimately depends on the quality of the people that make them. Educating Software Engineering, however, is quite challenging, as the subject is not considered as most excit…
▽ More
Software Engineering courses play an important role for preparing students with the right knowledge and attitude for software development in practice. The implication is far reaching, as the quality of the software that we use ultimately depends on the quality of the people that make them. Educating Software Engineering, however, is quite challenging, as the subject is not considered as most exciting by students, while teachers often have to deal with exploding number of students. The EU project IMPRESS seeks to explore the use of gamification in educating software engineering at the university level to improve students' engagement and hence their appreciation for the taught subjects. This paper presents the project, its objectives, and its current progress.
△ Less
Submitted 14 December, 2019;
originally announced December 2019.
-
DEFenD: A Secure and Privacy-Preserving Decentralized System for Freight Declaration
Authors:
Daniël Vos,
Leon Overweel,
Wouter Raateland,
Jelle Vos,
Matthijs Bijman,
Max Pigmans,
Zekeriya Erkin
Abstract:
Millions of ship** containers filled with goods move around the world every day. Before such a container may enter a trade bloc, the customs agency of the goods' destination country must ensure that it does not contain illegal or mislabeled goods. Due to the high volume of containers, customs agencies make a selection of containers to audit through a risk analysis procedure. Customs agencies per…
▽ More
Millions of ship** containers filled with goods move around the world every day. Before such a container may enter a trade bloc, the customs agency of the goods' destination country must ensure that it does not contain illegal or mislabeled goods. Due to the high volume of containers, customs agencies make a selection of containers to audit through a risk analysis procedure. Customs agencies perform risk analysis using data sourced from a centralized system that is potentially vulnerable to manipulation and malpractice. Therefore we propose an alternative: DEFenD, a decentralized system that stores data about goods and containers in a secure and privacy-preserving manner. In our system, economic operators make claims to the network about goods they insert into or remove from containers, and encrypt these claims so that they can only be read by the destination country's customs agency. Economic operators also make unencrypted claims about containers with which they interact. Unencrypted claims can be validated by the entire network of customs agencies. Our key contribution is a data partitioning scheme and several protocols that enable such a system to utilize blockchain and its powerful validation principle, while also preserving the privacy of the involved economic operators. Using our protocol, customs agencies can improve their risk analysis and economic operators can get through customs with less delay. We also present a reference implementation built with Hyperledger Fabric and analyze to what extent our implementation meets the requirements in terms of privacy-preservation, security, scalability, and decentralization.
△ Less
Submitted 25 March, 2018;
originally announced March 2018.