Protecting Privacy of Web Users: Technical and Legal Perspectives
As millions of users browse the Web on a daily basis, their data is continuously collected by numerous companies and agencies with the help of Web tracking technologies. Website owners, however, need to become compliant with recent EU privacy regulations (such as GDPR and ePrivacy) and often rely on consent banners to either inform users or collect their consent to tracking. In this talk, I discuss our recent research in Web tracking and analysis of consent banners from three dimensions:
1) measurement: detection of Web tracking technologies and analysis of consent banners;
2) compliance: multi-disciplinary discussion with legal scholars about potential violations of GDPR and ePrivacy in the discovered practices, and with design scholar of the manipulative tactics and their legality in consent banners;
3) evidence tools: our recent efforts in building browser extensions and evaluating user studies about consent banners for the regulator.
Finally, we present the impact of our work and underline the need for multi-disciplinary research in the area of Web privacy.
Formal and Automatic Network Security Configuration
The next-generation networks introduced higher flexibility and dynamicity in networking systems, but at the same time, they led to new threats and challenges. The traditional approach of a manual configuration of Network Security Functions (NSFs) such as firewalls and VPN gateways is not feasible anymore since it is not adequate for the ever-changing nature of modern networks and it is prone to human errors. To overcome this problem, the native flexibility provided by virtualization could be exploited to automate network security management. However, achieving a high level of automation while providing formal assurance that security management operations (e.g., configuration and orchestration) fulfill some security properties is still a complex research challenge. This presentation describes some novel approaches that combine automation, formal verification, and optimization for network security management. This is a joint seminar with FM-SEC. Attendance via Zoom (ID: 933 8257 2879, Passcode: 546836) Livestream via Youtube
Comprehensive Specification and Formal Analysis of Attestation Mechanisms in Confidential Computing
ZoomConfidential Computing (CC) using hardware-based Trusted Execution Environments (TEEs) has emerged as a promising solution for protecting sensitive data in all forms. One of the fundamental characteristics of such TEEs is remote attestation which provides mechanisms for securely measuring and reporting the state of the remote platform and computing environment to a user. We present a novel approach combining TEE-agnostic attestation architecture and formal analysis enabling comprehensive and rigorous security analysis of attestation mechanisms in CC. We demonstrate the application of our approach for three prominent industrial representatives, namely Arm Confidential Compute Architecture (CCA) in architecture lead solutions, Intel Trust Domain Extensions (TDX) in vendor solutions, and Secure CONtainer Environment (SCONE) in frameworks. For each of these solutions, we provide a comprehensive specification of all phases of the attestation mechanism in confidential computing, namely provisioning, initialization, and attestation protocol. Our approach reveals design and security issues in Intel TDX and…