_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 181 September 23, 2024 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of the book, "Security of FPGA-Accelerated Cloud Computing Environments" by Jakub Szefer and Russell Tessier o Richard Austin's review of "Microcontroller Exploits" by Travis Goodspeed o News items - LegalWare Follows Ransomware - Water Protection Efforts Fight an Uphill Battle - The Last Page o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We are pleased to have two book reviews this month, one from our current book review editor, Sven Dietrich, and another from the former long-time holder of that post, Richard Austin. Their reviewed books are about the timely topics of FPGA and microcontroller security, respectively. We are already in the middle of the deadline schedule for papers for the 2025 S&P conference next May. In fact, May through June/July could be called the TCSP conference grand tour: HOST, S&P, Euro S&P, CSF. The second deadline for S&P papers is November 14. Meanwhile, the paper registration deadline for EuroS&P next year in Venice is imminent: October 14. If an author would like to have a full tour of the security research landscape, then the next event would be Computer Security Foundations in Santa Cruz, CA, next June (or perhaps July). Note that the paper submission deadline is October 1 for CSF. There has been little news of cybersecurity in the mainstream media of late, and we suspect that the US election news has overshadowed such petty things as ransomware attacks. That is, until the news from Lebanon. The shocking explosions of electronic devices brings home the dangers of our electronic world and our dependence on personal appliances. Just as terrorism changed the air travel experience everywhere, this recent event may change the way we vet and accept all electronics that are close to us. Yet another Pandora's box, opened and unclosable. Deep in (Kernel) Memory Deep in the kernel, the memory internal, Should hold its state, and never fumble, Deep in the kernel, the errors infernal, Corrupt the tables, pages go jumble. Deep in the kernel, when locks are eternal, Reboots make consistency tumble. Deep in the kernel, if syscalls return null, Refresh the RAM, don't wait to stumble. Deep in the kernel, when look-ups become slow, Keep tables shallow, shallow, shallow. (With apologies to Tom Jones) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich 9/23/24 ____________________________________________________________________ "Security of FPGA-Accelerated Cloud Computing Environments" by Jakub Szefer and Russell Tessier Springer Verlag, 2024. ISBN 978-3-031-45394-6 (hardcover), 978-3-031-45395-3 (ebook). 328 pages + x, First edition, 2024 Cloud computing has been around as a basic concept, if you are strictly and technically talking about virtual environments and virtual machine monitors, roughly since the 1960s. With that topic came a series of research topics that explored information flow, side channels, as well as covert channels, among others. The term cloud computing became popular in the advent of the Internet and the need of shared resources across network connections. This book revisits these topics in a very specific context. While cloud computing in general has offered access to shared resources for both CPU and GPU computing, there has been the option to select Field Programmable Gate Arrays (FPGAs) on some cloud computing services since the mid 2010s. FPGAs are nothing else than an example of Programmable Logic Devices, allowing for the creation of integrated circuits using a hardware description language such as VHDL. The editors Jakub Szefer and Russell Tessier have put together a book of 328 pages and 11 chapters, entitled "Security of FPGA-Accelerated Cloud Computing Environments," touching upon 11 separate yet interconnected topics on the security of such FPGA-accelerated cloud environments. The book overall is illustrated with color tables, charts, and figures, and each chapter is mostly self-contained: each has a proper introduction, an overview of the chapter, the main portion of the topic, plus an extensive set of references at the end of the chapter. The editors of the book are co-authors of some of the chapters that have been written by specific experts in the subfield. The 11 chapters easily flow into three main categories, as mentioned in the book's foreword. Chapters 1-3 focus on authentication, protection of data communications between local and remote clients, and the cryptographic primitives that one could run on the FPGAs. Chapters 4-9 focus on physical attacks on the FPGAs, attacks between remote FPGAs, as well as hybrid attacks between using FPGAs, CPUs, and GPUs. Chapters 10-11 discuss countermeasures and defenses for the cloud-based attacks. The book considers the single-tenant and multi-tenant cases, meaning either single and sequential use, or concurrent use of the FPGA hardware by cloud clients. The examples given in each chapter often refer to specific hardware implementations of FPGAs, including the various "FPGA cloud options" the major cloud providers have been offering. The chapters are described here in order. 1. This book begins with authentication and confidentiality in FPGA-based clouds. As expected, you will find the basics explained for this setting. Considerations such as proper trust authorities and multi-tenant scenarios are explored, as well as open challenges on this topic. The use of Physically Unclonable Functions (PUFs) for FPGAs are mentioned as well. 2. The second chapter delves deeper into domain isolation and access control, a topic we have been familiar with, but here explained in the multi-tenant setting of the FPGA-based cloud. Here we see hardware and software isolation architecture considerations, plus approaches from classical security, such as the NSA FLASK architecture. 3. Efficient and secure encryption for FPGAs in the cloud. Taken from the angle of lightweight cryptography, a topic popularized partly by the Internet of Things, the reader learns about what throughput is to be expected to and from the FPGA clouds and configurable hardware. Illustrations show modes of encryption, architectures, and numerical results for the efficiency tests. Reflections on post-quantum cryptography in the FPGA setting round off the chapter. 4. Remote physical attacks on FPGAs at the electrical level. The authors explain the impact of manipulating power to the actual FPGAs, either by attacking its power distribution network, fault injection and power side channels,and forcing consumption of electrical resources, e.g. by causing voltage drops which would affect the actual FPGA logic. An evaluation of covert channels summarized in large tables illustrate the potential impact. Some design improvements are presented that would prevent or at least mitigate such attacks. 5. Practical implementations of remote power side-channel and fault-injection attacks on multi-tenant FPGAs. This chapter contains well-illustrated, actual experiments with power side-channel attacks as well as fault-injection attacks in connection with FPGA voltage sensors, power wasters, and other electrical impacts on computation when other users are running jobs on the FPGA. 6. Contention-based threats between single-tenant cloud FPGA instances. This chapter describes practical inference mechanisms and covert channels between single-tenant FPGA setups. Exploring channels such as the PCIe bus, heat signatures, and other forms that can carry information at a much higher rate than expected. 7. Covert channels in cross-board power-based FPGA, CPU, and GPUs. The authors of this chapter identify shared power supplies as source of inference, introduce remote covert channels between FPGAs, and introduce CPU-to-FPGA as well as GPU-to-FPGA covert channels. 8. Microarchitectural vulnerabilities introduced, exploited, and accelerated by heterogeneous FPGA-CPU platforms. As hybrid setups get created in the cloud providers due to various integrations of CPUs and FPGAs, e.g. by the PCIe bus or otherwise, new attack mechanisms arise. One example described i This chapter describes the JackHammer attack, the FPGA equivalent of the RowHammer attack on DRAM memory chips. 9. Fingerprinting and mapping cloud FPGA infrastructures. In case of thermal or temporal attacks, it is important to know that one has returned or can obtain a specific physical FPGA. Using some fingerprinting techniques that bypass the cloud provider's undisclosed defense mechanism, the authors show how one can perform some FPGA cartography, effectively charting the FPGA infrastructure of the provider to some extent. 10. Countermeasures against voltage attacks in multi-tenant FPGAs. Here the authors summarize the countermeasures for electrical attacks, namely attacks that use stressors, waste power, lower voltage and potentially inject faults that way. 11. A proposal for programmable RO (PRO): a multipurpose countermeasure against side-channel and fault injection attack. The ring oscillators (RO) play a key role in this approach, as well as on-chip sensors. Various fault detection mechanisms are reviewed as the book wraps up with countermeasures in the last two chapters. Overall the book is aimed at researchers, industry practitioners in technology, e-commerce, and online services, and postgraduate students seeking in-depth information about FPGAs. The editors did an excellent job at pulling together all the diverse authors for each chapter that provided such excellent in-depth and real-world excursion into this FPGA cloud topic. I really enjoyed reading this book, especially due to its systems aspect, and the book (thank you Jakub!) will find its place on my bookshelf for any needed reference on this very timely topic. -------------------------------------------------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org -------------------------------------------------------------------- ____________________________________________________________________ Book Review By Richard Austin 9/2/24 ____________________________________________________________________ Microcontroller Exploits by Travis Goodspeed No Starch Press 2024. ISBN 978-1-7185-0388-5 (This review is based on the hardcover edition) Table of contents and sample chapter available at Microcontroller Exploits | No Starch Press Microcontrollers are found in everything from credit cards and medical devices to the key fob for your car. And with such wide use, adversarial interest inevitably follows. Details of microcontroller (or firmware) exploits have been largely inaccessible to the general cybersecurity community with the details only appearing in conference proceedings or ephemeral literature such as forum or blog posts, "beer-stained napkins" used for illustrations and notes during an evening's discussion, etc. Goodspeed is intending to change that by gathering information and documenting techniques in a single place (though he also includes an extensive bibliography). The first thing that strikes one about the book is that it is meant to be used. It has a sturdy cover and quality paper that will survive day-to-day use and continuing reference. The pages have wide margins that, as Goodspeed notes in his introduction, are intended for your notes. There is even a bound-in bookmark. The book is structured into an introduction followed by 25 numbered chapters that provide "in-depth explanations of either techniques or how to hack a specific chip" (p. 8). The following 9 lettered chapters describe classes of techniques: "More Bootloader Vulns", "More Debugger Attacks", etc., and tie them to specific targets. In the introduction, Goodspeed defines a microcontroller as a single-chip computer that includes "some memory for a computer program, the barest minimum of a CPU to run that program, and enough RAM to store global variables, and maybe also a heap and call stack" (p.7). Microcontrollers often include firmware "read data protection" (RDP) features intended to prevent extraction of the firmware for reverse engineering or unauthorized modification and the book offers methods for defeating those protection features. Chapter 1, "Basics of Memory Extraction", provides a quick overview of the basics involved in extracting firmware. The process begins with basic research on the target chip: datasheets (detailed information on a specific chip), family guide (chips are often part of a family of related chips), reference designs (illustrations of how the chip might actually be used in a design), and a working cross-compiler. The author provides sage advice that "only by first understanding how the chip would be programmed in a factory will you find the bug that dumps the firmware out" (p. 9). Or as the old security aphorism puts it: "If you don't know how it's supposed to work, how are you going to figure out how to make it break?" Next, a high-level tour of three common techniques that find many uses in later chapters. JTAG (named for its developer, the Joint Test Action Group) is a hardware protocol for debugging and failure analysis (described in greater detail in Chapter 8 "Basics of JTAG and ICSP"). Unfortunately, manufacturers may lock JTAG out in production chips which requires the reverse engineer to bypass the lock before using JTAG to read out the firmware. "ROM Bootloaders" allow the devices to boot (load their firmware) from various sources. These bootloaders can be extracted, reversed engineered, modified or exploited (yes, firmware has exploitable vulnerabilities too and they can be fiendishly difficult to patch and therefore linger for a long time) to form the basis for a technique to read out the firmware. "FLASH Bootloaders" are similar to the ROM bootloaders but are relevant to flash memory. Each of these general techniques is illustrated by applications in the following chapters. The main part of the book follows with detailed explanations of how firmware can be extracted from specific chips. The index makes it easy to cross reference the chip part number to the relevant chapter of the book. Because I'm an amateur radio operator, chapter 3, "MD380 Null Pointer, DFU" caught my eye, as its target is the firmware for a handheld radio transceiver the Tytera MD380. The STM32F405 chip in this radio is configured at RDP Level “1 with read protection.” Goodspeed begins by investigating the radio's implementation of the DFU (Device Firmware Update) protocol by performing a normal firmware update using the vendor's application running on a virtual machine with the hypervisor instructed to write all USB traffic to a log file. He is able to identify the normal DFU commands but also some proprietary commands. Investigating those commands, he finds a null pointer vulnerability that allowed reading of the flash bootloader. Using this information (and a lot of creativity and knowledge), he was able to reverse engineer the firmware recovery bootloader. He then patches the recovery bootloader to set the RDP level to "0 with No Protection" instead of "1 with Read Protection". After this, he can read the application firmware, modify it and write it back. That might be job done from an exploitation viewpoint but if a normal user is going to install the modified firmware, they will need to be able to use the vendor's update program which, in this case, expects to decrypt an encrypted firmware image before writing it to be device. There are a number of techniques available for encrypting data and some are more difficult to break than others. One of Goodspeed's colleagues, Christianne Rutten, was able to determine that the vendor used an XOR against a firmware key to produce the cipher text. This simple to break encryption provided a means for altered firmware to be encrypted and loaded into the radio using the vendor's firmware update utility and gave rise to a community project to enhance the firmware for this radio (md380tools). This is both a fascinating and profoundly disturbing book. On the fascinating side, it is a cornucopia of great information. Simple perusal of the table of contents generated many "You can do that?" and, after reading the relevant chapter, "Wow, so that's how it's done!" moments. On the disturbing side, all that great and profoundly useful information is now gathered in one place and presented by a master. It also quickly becomes apparent that the bugs we chase in higher level software such as null pointers, backdoors, privilege escalation, etc., are all too present in firmware as well. However, this is not a "type-along" type of book. Goodspeed provides an excellent roadmap, but you will still have to walk the road. To use the book to its full advantage, the reader should have experience with microcontrollers in general, a good grasp of debugging at the hardware level, and solid reverse engineering skills. Some of the techniques for de-capping chips for analysis require use of dangerous chemicals, so Goodspeed's advice on safety equipment and procedures should be taken to heart. Who should read this book? The general security community would benefit from at least giving it a cursory read to understand what is possible given the current state of the art in firmware exploitation. This will help in evaluating security assurance claims regarding "protected" firmware updates and the effectiveness of cryptographic protections for firmware and in developing security requirements. Product designers would benefit from understanding the effectiveness of reverse engineering techniques and this understanding should better inform their decisions on how to protect the firmware used in their products and assure users that the firmware they have on their devices is genuine. It should also raise the visibility of exploitable vulnerabilities in firmware and hopefully generate increased focus on their elimination. And finally, the community fascinated by how things work will find this an invaluable compendium of information for their own learning and further research. --------------------------------------------------------------------------- Richard Austin is a former book review editor for IEEE-Cipher and though he is now retired, the occasional book does land on his desk that is of sufficient interest for him to try your patience yet again by contributing a review. He can be reached at raustin AT ieee DOT org --------------------------------------------------------------------------- ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ----------------------------------------------------------------------- - LegalWare Follows Ransomware Crippling Patelco Ransomware Attack Leads to Pair of Class Action Lawsuits href=https://www.kqed.org/news/11993524/crippling-patelco-ransomware-attack-leads-to-pair-of-class-action-lawsuits Publication: KQED Date: July 10, 2024 By: Katie DeBenedetti Summary: Near the end of June, a California credit union, Patelco, was was the victim of a ransomware attack that potentially exposed the personal data of its hundreds of thousands of members. It shut down all customer access for at least a week while it attempted to restore operations. In the wake of the attack, at least two class action lawsuits were filed against it for failing to properly protect clients' information. ---------------------------------------- Patelco Credit Union Says Breach Impacts 726k After Ransomware Gang Auctions Data Patelco Credit Union has confirmed a data breach impacting many individuals after the RansomHub ransomware group stole some databases. https://www.securityweek.com/patelco-credit-union-says-breach-impacts-726k-after-ransomware-gang-auctions-data/ Publication: SecurityWeek Date: August 2, 2024 By: Eduard Kovacs Summary: More information about the credit union ransomware attack became available in August. The number of exposed accounts is estimated at over 700K, which is nearly 50% higher than the initial estimates. The group responsible for the attack was named as RansomHub, and that group announced that it was auctioning off the stolen information. ---------------------------------------------------------------------------- - Water Protection Efforts Fight an Uphill Battle EPA says litigation from Republicans, water companies forced withdrawal of cybersecurity memo https://therecord.media/epa-says-litigation-from-republicans-and-water-companies-forced-withdrawal-of-cyber-memo Publication: The Record Date: October 13th, 2023 By: Jonathan Greig Summary: Despite the increasing number of cyberattacks against water control systems in the US (see, for example, our news from June of this year (href=./news-060324.html#WATER> and estimates of the number of similar attacks since 2019), (href=https://therecord.media/epa-water-utilities-cybersecurity-rule-appeals-court-decision) the EPA's memorandum about securing the diverse systems around the country was met with resisting lawsuits last year. Three state's attorney generals and two industry groups sued and obtained a temporary restraining order on the EPA's attempt to include cybersecurity reporting as part of certifying the suitability of water facilities. Theimposition of the checklist was said to be onerous and would result in higher prices for consumers. The EPA withdrew the memo. ---------------------------------- Critical Infrastructure Protection: EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems https://www.gao.gov/products/gao-24-106744 Publisher: GAO Date: Aug 01, 2024 Summary: Despite the rejection of last year's EPA memorandum on cybersecurity for water infrastructure, the US Government Accounting Office release a recent report (GAO-24-106744) on security risks to water and wastewater computer control systems. ---------------------------------------------------------------------------- - The Last Page How Israel Built a Modern-Day Trojan Horse: Exploding Pagers https://www.nytimes.com/2024/09/18/world/middleeast/israel-exploding-pagers-hezbollah.html The Israeli government did not tamper with the Hezbollah devices that exploded, defense and intelligence officials say. It manufactured them as part of an elaborate ruse. Publication: The New York Times Date: Sept. 20, 2024 By: Sheera Frenkel, Ronen Bergman and Hwaida Saad Summary: Thousands of pagers and walkie-talkies in Lebanon exploded on Tuesday and Wednesday last week, causing deaths and injuries. This appeared to be an enemy operation caused by the distribution of devices with booby-trapped batteries. A wireless message sent to the devices initiated the explosions. Not much is known about the manufacture of the pagers. They may ave been made in Taiwan by the manufacturer whose logo appears on the devices, or they might have been made in the Mideast. The exact pathway of the pagers from the manufacturer to the Lebanese users is unknown, but somewhere along the way, battries containing the explosive "PETN" were inserted. Some sort of known software vulnerability to cause the battery to overheat may have been the trigger. ------------------------------------ Japan firm says it stopped making walkie-talkies used in Lebanon blasts https://www.bbc.com/news/articles/cj6ezre8xr4o> Publisher: BBC News Date: Sep 18, 2024 By: Shaimaa Khalil BBC News The source of the exploding walkie talkies in Lebanon was not the manufacturer whose logo appears on the device cases. The company, Icom in Osaka, Japan, says that the IC-V82 transceivers that are pictured online as having been used in the attack are not theirs. They have not manufactured the devices in several years, and a holographic tag of authenticity is not on the devices. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html SYSTOR 2024 17th ACM International System and Storage Conference, Tel Aviv-Yaffo, Israel, September 23-25, 2024 https://www.systor.org/2024/ eCrime 2024 19th annual APWG eCrime symposium, Boston, Massachusetts, USA, September 24-26, 2024 https://ecrime2024hotcrp.com CANS 2024 International Conference on Cryptology and Network Security, Cambridge, UK, September 24-27, 2024 https://2024cansconference.org/ DFRWS EU 2025 Digital Forensics Research Conference Europe, Hybrid, Brno, Czech Republic, April 1-4, 2025 https://dfrws.org/conferences/dfrws-eu-2025/ Submission date: 27 September 2024 SaTML 2025 3rd IEEE Conference on Secure and Trustworthy Machine Learning, Copenhagen, Denmark, April 9-11, 2025 https://satml.org/participate-cfp/ Submission date: 27 September 2024 EuroUSEC 2024 European Symposium on Usable Security conference, Karlstad, Sweden, September 30 - October 1, 2024 https://eurousec24.kau.se RAID 2024 27th International Symposium on Research in Attacks, Intrusions and Defenses, Padua, Italy, September 30 - October 2, 2024 https://raid2024github.io/ CNS 2024 12th IEEE Conference on Communications and Network Security, Taipei, Taiwan, September 30 - October 3, 2024 https://cns2024ieee-cns.org/ 6GQ 2024 Workshop on Postquantum Cryptography and Quantum Communication for 6G Networks, Held in conjunction with the 49th Annual IEEE Conference on Local Computer Networks (IEEE LCN 2024), Caen, Normandy, France, October 8-10, 2024 https://sites.google.com/view/6gq2024/home MarCaS 2024 2nd IEEE LCN Special Track on Maritime Communication and Security, Held in conjunction with the 49th Annual IEEE Conference on Local Computer Networks (IEEE LCN 2024), Caen, Normandy, France, October 8-10, 2024 https://garykessler.net/lcn_marcas/ BRAINS 2024 6th Conference on Blockchain Research & Applications for Innovative Networks and Services, Berlin, Germany, October 8-11, 2024 https://brains.dnac.org/2024/ UbiSec 2024 4th International Conference on Ubiquitous Security, Changsha, China, December 29-31, 2024 http://ubisecurity.org/2024/ Submission date: 31 August 2024 and 10 October 2024 HealthSec 2024 Workshop on Cybersecurity in Healthcare, Held in conjunction with the 31st ACM Conference on Computer and Communications Security (CCS 2024), Salt Lake City, Utah USA, October 14, 2024 https://publish.illinois.edu/healthsec/ ACM CCS 2024 31th ACM Conference on Computer and Communications Security, Salt Lake City, Utah, USA, October 14-18, 2024 https://www.sigsac.org/ccs/CCS2024/call-for/call-for-papers.html ASHES 2024 8th Workshop on Attacks and Solutions in Hardware Security, Held in conjunction with the 31st ACM CCS 2024, Salt Lake City, UT, USA, October 14-18, 2024 https://sss2024github.io TPS 2024 6th IEEE International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications, Washington D.C., USA, October 28-30, 2024 https://www.sis.pitt.edu/lersais/conference/tps/2024/ ICTAI 2024 36th IEEE International Conference on Tools with Artificial Intelligence, Herndon, VA, USA, October 30 - November 1, 2024 https://ictai.computer.org/2024/ DFDS 2025 1st Digital Forensics Doctoral Symposium, Held in conjunction with Digital Forensics Research Conference Europe (DFRWS EU 2025), Brno, Czech Republic, April 1, 2025 https://www.dfrws.org/conferences/dfds2025/ Submission date: 4 November 2024 DASC 2024 22nd IEEE International Conference on Dependable, Autonomic and Secure Computing, Boracay Island, Malay, Philippines, November 5-8, 2024 http://cyber-science.org/2024/dasc/ SP 2025 46th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 12-15, 2025 https://www.sp2025ieee-security.org/cfpapers.html Submission date: 6 June 2024 and 14 November 2024 NSS-SocialSec 2024 Joint 18th International Conference on Network and System Security and 10th International Symposium on Security and Privacy in Social Networks and Big Data, Abu Dhabi, UAE, November 20-22, 2024 http://nsclab.org/nss-socialsec2024/index.html CRiSIS 2024 19th International Conference on Risks and Security of Internet and Systems, Aix-en-Provence, France, November 26-28, 2024 https://crisis2024univ-gustave-eiffel.fr PETS 2025 25th Privacy Enhancing Technologies Symposium, Washington, DC and Online, July 14-19, 2025 https://petsymposium.org/cfp25.php Submission dates: 31 May 2024, 31 August 2024, 30 November 2024, and 28 February 2025 UIC 2024 21th IEEE International Conference on Ubiquitous Intelligence and Computing, Denarau Island, Fiji, December 2-7, 2024 https://www.ieee-smart-world.org/2024/uic/ HOST 2025 18th IEEE International Symposium on Hardware Oriented Security and Trust, San Jose, CA, USA, May 5-8, 2025 http://www.hostsymposium.org/call-for-paper.php Submission date: 9 September 2024 and 9 December 2024 FPS 2024 17th International Symposium on Foundations & Practice of Security, Montreal, Canada, December 9-11 2024 https://fps-2024hec.ca/ ICSS 2024 10th Industrial Control System Security Workshop, Held in conjunction with the Annual Computer Security Applications Conference (ACSAC), Waikiki, Hawaii, Dec 10, 2024 https://www.acsac.org/2024/workshops/icss/ ICISS 2024 20th International Conference on Information Systems Security, Jaipur, India, December 16-20, 2024 https://iciss.isrdc.in/ CSCML 2024 8th International Symposium on Cyber Security, Cryptology and Machine Learning, Beer-Sheva, Israel - Virtual, December 19-20, 2024 https://www.cscml.org/ UbiSec 2024 4th International Conference on Ubiquitous Security, Changsha, China, December 29-31, 2024 http://ubisecurity.org/2024/ IFIP 119 DF 2025 21st Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 6-7, 2025 http://www.ifip119.org/ USENIX Security 2025 34th USENIX Security Symposium, Seattle, WA, USA, August 13-15, 2025 https://www.usenix.org/conference/usenixsecurity25 Submission date: 4 September 2024 and 22 January 2025 NDSS 2025 Network and Distributed System Security Symposium and Workshops, San Diego, CA, USA, February 23-28, 2025 https://www.ndss-symposium.org/ndss2025/submisions/call-for-papers/ PETS 2025 25th Privacy Enhancing Technologies Symposium, Washington, DC and Online, July 14-19, 2025 https://petsymposium.org/cfp25.php Submission dates: 31 May 2024, 31 August 2024, 30 November 2024, and 28 February 2025 DFDS 2025 1st Digital Forensics Doctoral Symposium, Held in conjunction with Digital Forensics Research Conference Europe (DFRWS EU 2025), Brno, Czech Republic, April 1, 2025 https://www.dfrws.org/conferences/dfds2025/ DFRWS EU 2025 Digital Forensics Research Conference Europe, Hybrid, Brno, Czech Republic, April 1-4, 2025 https://dfrws.org/conferences/dfrws-eu-2025/ SaTML 2025 3rd IEEE Conference on Secure and Trustworthy Machine Learning, Copenhagen, Denmark, April 9-11, 2025 https://satml.org/participate-cfp/ HOST 2025 18th IEEE International Symposium on Hardware Oriented Security and Trust, San Jose, CA, USA, May 5-8, 2025 http://www.hostsymposium.org/call-for-paper.php SP 2025 46th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 12-15, 2025 https://www.sp2025ieee-security.org/cfpapers.html PETS 2025 25th Privacy Enhancing Technologies Symposium, Washington, DC and Online, July 14-19, 2025 https://petsymposium.org/cfp25.php USENIX Security 2025 34th USENIX Security Symposium, Seattle, WA, USA, August 13-15, 2025 https://www.usenix.org/conference/usenixsecurity25 ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Gabriela Ciocarlie Daniel Takabi Associate Professor Associate Professor University of Texas at Georgia State University San Antonio https://cas.gsu.edu/profile/daniel-takabi tcchair at ieee-security.org Vice Chair: Treasurer: Thorsten Holtz Yong Guan Faculty Member Professor CISPA Helmholtz Center for Department of Electrical and Computer Information Security Engineering tcchair at ieee-security.org Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2024 Chair: Hilarie Orman Trent Jaeger Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Pennsylvania State University Woodland Hills, UT 84653 https://www.cse.psu.edu/~trj1/ cipher-editor@ieee-security.org sp24-chair@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year