Thorsten Holz Sotiris Ioannidis (Eds.) Trust 4 and Trustworthy 6 5 8 S Computing C N L 7th International Conference, TRUST 2014 Heraklion, Crete, Greece, June 30 – July 2, 2014 Proceedings 123 Lecture Notes in Computer Science 8564 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen TUDortmundUniversity,Germany DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum MaxPlanckInstituteforInformatics,Saarbruecken,Germany Thorsten Holz Sotiris Ioannidis (Eds.) Trust and Trustworthy Computing 7th International Conference, TRUST 2014 Heraklion, Crete, Greece, June 30 – July 2, 2014 Proceedings 1 3 VolumeEditors ThorstenHolz Ruhr-UniversityBochum ChairforSystemsSecurity Universitätsstr.150,ID2/439,44780Bochum,Germany E-mail:[email protected] SotirisIoannidis InstituteofComputerScience FoundationforResearchandTechnology-Hellas(FORTH) N.Plastira100,VassilikaVouton,70013Heraklion,Crete,Greece E-mail:[email protected] ISSN0302-9743 e-ISSN1611-3349 ISBN978-3-319-08592-0 e-ISBN978-3-319-08593-7 DOI10.1007/978-3-319-08593-7 SpringerChamHeidelbergNewYorkDordrechtLondon LibraryofCongressControlNumber:Appliedfor LNCSSublibrary:SL4–SecurityandCryptology ©SpringerInternationalPublishingSwitzerland2014 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof thematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped.Exemptedfromthislegalreservationarebriefexcerptsinconnection withreviewsorscholarlyanalysisormaterialsuppliedspecificallyforthepurposeofbeingenteredand executedonacomputersystem,forexclusiveusebythepurchaserofthework.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheCopyrightLawofthePublisher’slocation, inistcurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Permissionsforuse maybeobtainedthroughRightsLinkattheCopyrightClearanceCenter.Violationsareliabletoprosecution undertherespectiveCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Whiletheadviceandinformationinthisbookarebelievedtobetrueandaccurateatthedateofpublication, neithertheauthorsnortheeditorsnorthepublishercanacceptanylegalresponsibilityforanyerrorsor omissionsthatmaybemade.Thepublishermakesnowarranty,expressorimplied,withrespecttothe materialcontainedherein. Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface This volume contains the proceedings of the 7th International Conference on Trust and TrustworthyComputing (TRUST), held in Heraklion, Crete, Greece, during June 30-July 2, 2014. TRUST 2014 was hosted by the Institute of Com- puter Science of the Foundation for Research and Technology-Hellas (FORTH- ICS), Greece, and was sponsored by Trusted Computing Group, Intel, and Microsoft. Continuing the tradition of the previous conferences, held in Villach (2008), Oxford (2009), Berlin (2010), Pittsburgh (2011), Vienna (2012), and London (2013), TRUST 2014 provided a unique interdisciplinary forum for researchers, practitioners, and decision makers to explore new ideas and discuss experiences inbuilding,designing,using,andunderstandingtrustworthycomputingsystems. The conference program of TRUST 2014 shows that research in trust and trustworthy computing is active, at a high level of competency, and that it spans a wide range of areas and topics. Papers dealt, for example, with topics such as a large-scale security analysis of the Web, hiding transaction amounts and balances in bitcoins, a security evaluation of specific physical unclonable functions,securityaspectsofmobilesystems,securityconsiderationsofTPM2.0, and location privacy. In total, 40 papers were submitted in response to the Call for Papers. All submissionswerecarefullyreviewedbyatleastthreeProgramCommitteemem- bersorexternalexpertsaccordingtothecriteriaofscientificnovelty,importance to the field, and technical quality. After an online discussion of all reviews, ten papers and three short papers were selected for presentation and publication in the conference proceedings. This amounts to an acceptance rate of 32.5%. We also encouraged people to report on work in progress by submitting two page abstracts describing ongoing research. A panel of experts reviewed these sub- mitted abstracts. Nine of these abstracts were selected to be included in these conference proceedings. We hope that these abstracts will convey a sense of the vibrancy and currentthemes of researchin trusted and trustworthy computing. Authorsoftheseabstractsalsopresentedpostersoftheirworkattheconference. Furthermore,the conferenceprogramcontainedseveralkeynotesandapanelby leaders in academia, industry, and governmentagencies. WewouldliketoexpressourgratitudetothosepeoplewithoutwhomTRUST 2014wouldnothavebeen this successful, andwhomwe mentionnowin no par- ticular order: the general chair Ioannis Askoxylakis, the publicity chair Manolis Stamatogiannakis,themembersoftheSteeringCommittee(whereAhmad-Reza Sadeghi deservesa special mentionfor his continuedand valuable adviceduring thepreparationofthisconference),thelocalOrganizingCommittee,thekeynote speakers, and the panel speakers (Jean-Pierre Seifert, Ingrid Verbauwede, and ChristianWachsmann).WealsowanttothankallProgramCommitteemembers VI Preface and their sub-reviewers; their hard work made sure that the scientific program was of high quality and reflected both the depth and breadthof researchin this area.Ourspecialthanksgoestoallthosewhosubmittedpapers,andtoallthose who presented posters and papers at the conference. June 2014 Sotiris Ioannidis Thorsten Holz Organization TRUST 2014 was organized by the Institute of Computer Science of the Foun- dation for Research and Technology-Hellas (FORTH-ICS), Greece. Steering Committee Alessandro Acquisti Carnegie Mellon University, USA Boris Balacheff Hewlett Packard, UK Paul England Microsoft, USA Michael Huth Imperial College London, UK Andrew Martin University of Oxford, UK Chris Mitchel Royal Holloway, University of London, UK Sean Smith Dartmouth College, USA Ahmad-Reza Sadeghi TU Darmstadt/Fraunhofer SIT, Germany Claire Vishik Intel, UK General Chair Ioannis Askoxylakis FORTH-ICS, Greece Program Chairs Thorsten Holz Ruhr University Bochum, Germany Sotiris Ioannidis FORTH, Greece Publicity Chair Manolis Stamatogiannakis VrijeUniversiteitAmsterdam,TheNetherlands Local Organizing Committee Nikolaos Petroulakis FORTH-ICS, Greece Theodosia Bitzou FORTH-ICS, Greece Program Committee Magnus Almgren Chalmers University of Technology, Sweden Elias Athanasopoulos FORTH, Greece VIII Organization Francesco di Cerbo SAP, France Liqun Chen HP Labs, UK Xuhua Ding Singapore Management University, Singapore Sascha Fahl Leibniz Universitt Hannover, Germany Peter Gutmann University of Auckland, New Zealand Limin Jia Carnegie Mellon University, USA Ghassan Karame NEC Laboratories, Germany Engin Kirda NorthEastern University, USA Michael Locasto University of Calgary, Canada Federico Maggi Politecnico di Milano, Italy Mohammad Mannan Concordia, Canada Jonathan McCune Google, USA Aziz Mohaisen Verisign, USA Sachar Paulus Fachhochschule Brandenburg, Germany Milan Petkovi Philips Research Europe, The Netherlands Vassilis Prevelakis Technische Universitt Braunschweig, Germany Christian Rossow Ruhr-University Bochum, Germany Matthias Schunter Intel, Germany Martin Vechev ETH Zurich, Switzerland Table of Contents TPM 2.0 DAA-Related APIs in TPM 2.0 Revisited ........................... 1 Li Xi, Kang Yang, Zhenfeng Zhang, and Dengguo Feng Continuous Tamper-Proof Logging Using TPM 2.0 ................... 19 Arunesh Sinha, Limin Jia, Paul England, and Jacob R. Lorch Trust in Embedded and Mobile Systems Affordable Separation on Embedded Platforms: Soft Reboot Enabled Virtualization on a Dual Mode System.............................. 37 Oliver Schwarz, Christian Gehrmann, and Viktor Do Owner-Centric Protection of Unstructured Data on Smartphones ...... 55 Yajin Zhou, Kapil Singh, and Xuxian Jiang On Usable Location Privacy for Android with Crowd-Recommendations ......................................... 74 Benjamin Henne, Christian Kater, and Matthew Smith Physical Unclonable Functions Lightweight Anti-counterfeiting Solution for Low-End Commodity Hardware Using Inherent PUFs.................................... 83 Andr´e Schaller, Tolga Arul, Vincent van der Leest, and Stefan Katzenbeisser Evaluation of Bistable Ring PUFs Using Single Layer Neural Networks ....................................................... 101 Dieter Schuster and Robert Hesselbarth Trust in the Web Large-Scale Security Analysis of the Web: Challenges and Findings..... 110 Tom van Goethem, Ping Chen, Nick Nikiforakis, Lieven Desmet, and Wouter Joosen Towards a Vulnerability Tree Security Evaluation of OpenStack’s Logical Architecture.............................................. 127 Doudou Fall, Takeshi Okuda, Youki Kadobayashi, and Suguru Yamaguchi X Table of Contents PrivLoc: Preventing Location Tracking in Geofencing Services ......... 143 Jens Mathias Bohli, Dan Dobre, Ghassan O. Karame, and Wenting Li Trust and Trustworthiness Hiding Transaction Amounts and Balances in Bitcoin................. 161 Elli Androulaki and Ghassan O. Karame Integration of Data-Minimising Authentication into Authorisation Systems ........................................................ 179 Dhouha Ayed, Patrik Bichsel, Jan Camenisch, and Jerry den Hartog Evaluating Trustworthiness through Monitoring: The Foot, the Horse and the Elephant ................................................ 188 Vinh Bui, Richard Verhoeven, and Johan Lukkien Poster Abstracts ExtendingDevelopmentMethodologieswithTrustworthiness-By-Design for Socio-Technical Systems (Extended Abstract) .................... 206 Nazila Gol Mohammadi, Torsten Bandyszak, Sachar Paulus, Per H˚akon Meland, Thorsten Weyer, and Klaus Pohl Challenges in Establishing Trustworthy Collaborations for Timely Responses to Emergency Animal Disease Incidents (Extended Abstract) ............................................. 208 John Zˇic Authentication System Using Encrypted Discrete Biometrics Data ..... 210 Kazuo Ohzeki, YuanYu Wei, Masaaki Kajihara, Masahiro Takatsuka, Yutaka Hirakawa, and Toru Sugimoto On the Development of Automated Forensic Analysis Methods for Mobile Devices .................................................. 212 Panagiotis Andriotis, Theo Tryfonas, George Oikonomou, Shancang Li, Zacharias Tzermias, Konstantinos Xynos, Huw Read, and Vassilis Prevelakis A Trusted Knowledge Management System for Multi-layer Threat Analysis ........................................................ 214 Thanasis Petsas, Kazuya Okada, Hajime Tazaki, Gregory Blanc, and Pawel(cid:2) Pawlin´ski Diagraming Approach to Structure the Security Lessons: Evaluation Using Cognitive Dimensions ....................................... 216 Ying He, Chris Johnson, Maria Evangelopoulou, and Zheng-Shuai Lin