First slide

8th International Workshop on

Analysis of Security APIs

Satellite workshop of IEEE CSF
July 13th 2015, Verona, Italy


Aim and Format

Security APIs allow untrusted code to access sensitive resources in a secure way. Security API analysis is an emerging field of computer security research. Following on from a highly productive Dagstuhl Seminar in 2012, the ASA workshop series continues to bring together researchers working in security API analysis for a day of presentations and discussions.

Polished research papers are not solicited. Instead, the workshop will follow the format that was highly successful at ASA in 2007-14: prospective participants are invited to submit a short (1-4 page) abstract describing their current work and/or interests in the area. We plan to have sessions of 30-minute talks by participants.

We will distribute abstracts and slides online, as in previous years, but we have no plans for formal proceedings or special issues of journals etc. The purpose of ASA is to encourage interactions rather than to produce archival papers, and as such, we encourage the submission of abstracts related to work published elsewhere.

Scope

The scope of ASA runs from theoretical results and formalisms for API analysis right through to applications and empirical results with security APIs deployed "in the field". Previous work at ASA has dealt with APIs in financial applications (e.g. APIs of Hardware Security Modules), cryptographic APIs like RSA PKCS#11, the Trusted Computing Architecture, concurrency based attacks on filesystem APIs and security APIs for preserving privacy in web based applications. Papers on new API-related topics not previously covered at ASA are especially welcome.

Submission

Submission is via the easychair website. Please use the EasyChair latex class file if you are preparing your abstract with LaTeX (if you have to use something else please contact us at asa8@easychair.org). All submissions will be reviewed by the Program Committee.

Submission deadline: Deadline extended to 4 May 2015
Notification to authors: Postponed to 18 May 2015

Programme Committee

  • Mike Bond, Cryptomathic, UK.
  • Dan Cvrcek, Smart Architects, UK
  • Riccardo Focardi, Ca' Foscari University, Italy (chair)
  • Joshua D. Guttman, WPI, USA
  • Ralf Küsters, Universität Trier, Germany
  • Graham Steel, Cryptosense, France.
  • Petr Svenda, FI MUNI, Czech republic.

Previous Editions

Links to previous editions are available at the ASA web page.

Program

09:30 - 09:35 Welcome
Invited Talk
09:35 - 10:30 Sandboxing HTML pages with API wrappers as a countermeasure to malicious third party code attacks. A lesson learned.
Stefano Di Paola, CTO & Chief Scientist at Minded Security
Abstract
Browsers HTML sandbox is, by default, only protected by the "Same Origin Policy". Although this simple constraint gave companies a very flexible environment to play with, and was probably one of the key features that led the Web to success as we see it now, it is quite unsatisfactory from a security perspective. In fact, this solution does not face the problem of letting third party code access the whole data in the DOM when explicitly loaded and executed by the browser. This behaviour opens the door to malicious third party code attacks that can be achieved using either Cross Site Scripting (OWASP Top Ten Security risk #1 for many years) or second order attacks, such as malvertising software. In the past, several attempts to sandbox untrusted code have been made. In this talk we will focus on successes and failures of the most interesting open source sandboxing browser techniques.
10:30 - 11:00 Coffee break
Session 1: Cryptographic APIs
Chair: Graham Steel
11:00 - 11:30 Checking Applications using Security APIs with JOANA
Juergen Graf, Martin Hecker, Martin Mohr and Gregor Snelting
11:30 - 12:00 Run-time analysis of PKCS#11 attacks
Gianluca Caiazza, Riccardo Focardi and Marco Squarcina
12:00 - 12:30 Cryptosense: Taming uses of Crypto API
Louis Roché
12:30 - 14:00 Lunch break
Session 2: Secure devices
Chair: Riccardo Focardi
14:00 - 14:30 Analysis of the HIS Security Module
Sibylle Froeschle and Peter Gewald
14:30 - 15:00 How to get rid of the Internet in the Internet of Things ?
Yannick Chevalier
15:00 - 15:30 On the Trust of Trusted Computing in the Post-Snowden Age
Feng Hao
15:30 - 16:00 Coffee break
Session 3: Web APIs
Chair: Joshua Guttman
16:00 - 16:30 Formal Analysis of Web Applications with Insecure Database APIs due to SQL Injection Attacks
Federico De Meo, Marco Rocchetto and Luca Viganò
16:30 - 17:00 Development of security extensions based on Chrome APIs
Mauro Tempesta and Riccardo Focardi

Registration

Registration should be done on the IEEE CSF registration page at the following fees:

Advance registration Extended to 15 June 75 EUR
Late / On Site Registration 16 June - 13 July 90 EUR
Note: Advance registration has been extended to 15 June for techical problems.

Venue

Workshop will be held at the Department of Computer Science of Verona, Italy, which is located about 5 km outside the city center, in Strada Le Grazie 15. Detailed information can be found on the IEEE CSF venue and location pages. Please notice that workshop location is different from IEEE CSF location.

If you fancy a night at the opera in the wonderful ancient Arena, conference organization offers tickets at a discount price (the cheapest is only 10 euros). More information on the IEEE CSF venue page.