Biblio

The gap is widening between the processor clock speed of end-system architectures and network throughput capabilities. It is now physically possible to provide single-flow throughput of speeds up to 100 Gbps, and 400 Gbps will soon be possible. Most current research into high-speed data networking focuses on managing expanding network capabilities within datacenter Local Area Networks (LANs) or efficiently multiplexing millions of relatively small flows through a Wide Area Network (WAN). However, datacenter hyper-convergence places high-throughput networking workloads on general-purpose hardware, and distributed High-Performance Computing (HPC) applications require time-sensitive, high-throughput end-to-end flows (also referred to as ``elephant flows'') to occur over WANs. For these applications, the bottleneck is often the end-system and not the intervening network. Since the problem of the end-system bottleneck was uncovered, many techniques have been developed which address this mismatch with varying degrees of effectiveness. In this survey, we describe the most promising techniques, beginning with network architectures and NIC design, continuing with operating and end-system architectures, and concluding with clean-slate protocol design.

In the field of smartphones a number of proposals suggest that sensing the ambient environment can act as an effective anti-relay mechanism. However, existing literature is not compliant with industry standards (e.g. EMV and ITSO) that require transactions to complete within a certain time-frame (e.g. 500ms in the case of EMV contactless payments). In previous work the generation of an artificial ambient environment (AAE), and especially the use of infrared light as an AAE actuator was shown to have high success rate in relay attacks detection. In this paper we investigate the application of infrared as a relay attack detection technique in various scenarios, namely, contactless transactions (mobile payments, transportation ticketing, and physical access control), and continuous Two-Factor Authentication. Operating requirements and architectures are proposed for each scenario, while taking into account industry imposed performance requirements, where applicable. Protocols for integrating the solution into the aforementioned scenarios are being proposed, and formally verified. The impact on the performance is assessed through practical implementation. Proposed protocols are verified using Scyther, a formal mechanical verification tool. Finally, additional scenarios, in which this technique can be applied to prevent relay or other types of attacks, are discussed.

Cross-Site Request Forgery (CSRF) attacks are one of the critical threats to web applications. In this paper, we focus on CSRF attacks targeting web sites' authentication and identity management functionalities. We will refer to them collectively as Authentication CSRF (Auth-CSRF in short). We started by collecting several Auth-CSRF attacks reported in the literature, then analyzed their underlying strategies and identified 7 security testing strategies that can help a manual tester uncover vulnerabilities enabling Auth-CSRF. In order to check the effectiveness of our testing strategies and to estimate the incidence of Auth-CSRF, we conducted an experimental analysis considering 300 web sites belonging to 3 different rank ranges of the Alexa global top 1500. The results of our experiments are alarming: out of the 300 web sites we considered, 133 qualified for conducting our experiments and 90 of these suffered from at least one vulnerability enabling Auth-CSRF (i.e. 68%). We further generalized our testing strategies, enhanced them with the knowledge we acquired during our experiments and implemented them as an extension (namely CSRF-checker) to the open-source penetration testing tool OWASP ZAP. With the help of CSRFchecker, we tested 132 additional web sites (again from the Alexa global top 1500) and identified 95 vulnerable ones (i.e. 72%). Our findings include serious vulnerabilities among the web sites of Microsoft, Google, eBay etc. Finally, we responsibly disclosed our findings to the affected vendors.