Madiba Security Research Group

Concordia Institute for Information Systems Engineering
Faculty of Engineering and Computer Science

Quick Links:      Publications    Theses    Bugs

Publications

2017

Short Paper: TLS Ecosystems in Networked Devices vs. Web Servers
N. Samarasinghe and M. Mannan. Financial Cryptography and Data Security (FC 2017), Apr. 3-7, 2017, Malta.

2016

Hypnoguard: Protecting Secrets across Sleep-wake Cycles
L. Zhao and M. Mannan. ACM Conference on Computer and Communications Security (CCS 2016), Oct. 24-28, 2016, Vienna, Austria.
Deceptive Deletion Triggers under Coercion
Pre-print version: July 28, 2016.
L. Zhao and M. Mannan. IEEE Transactions on Information Forensics and Security (TIFS), 11(12): 2763-2776 (December 2016).
An Evaluation of Recent Secure Deduplication Proposals
Pre-print version: Oct. 19, 2015, © Elsevier.
V. Rabotka and M. Mannan. Elsevier Journal of Information Security and Applications (JISA), Special Issue on "Security and Privacy in Cloud Computing", volumes 27-28, pages 3-18 (April-May 2016).
Killed by Proxy: Analyzing Client-end TLS Interception Software
X. de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS 2016),
Feb. 21-24, 2016, San Diego, CA, USA.

2015

Provisions: Privacy-preserving proofs of solvency for Bitcoin exchanges
G. Dagher, B. Bunz, J. Bonneau, J. Clark, and D. Boneh. ACM Conference on Computer and Communications Security (CCS),
Oct 12-16, 2015, Denver, CO, USA.
Peace vs. Privacy: Leveraging Conflicting Jurisdictions for Email Security
(Post-proceedings version: Nov. 3, 2015, © ACM.) M. Mannan, A. Shahkar, A. Saberi Pirouz and V. Rabotka.
New Security Paradigms Workshop 2015 (NSPW'15), Sept. 8-11, 2015, Twente, The Netherlands.
Large-Scale Evaluation of High-Impact Password Strength Meters
Pre-print version: Feb. 27, 2015, © ACM.
DOI:10.1145/2739044.
X. de Carnavalet and M. Mannan. ACM Transactions on Information and System Security (TISSEC), 18(1): 1-32 (May 2015).
Diffusion of Voter Responsibility: Potential Failings in E2E Receipt Checking
E. Moher, J. Clark, and A. Essex. USENIX Journal of Election Technology (JETS), 3(1), Dec 2014.
JETS Workshop, Aug. 11, 2015, Washington, DC, USA.
Research Perspectives and Challenges for Bitcoin and Cryptocurrencies
J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. Kroll, and E. W. Felten. IEEE Symposium on Security and Privacy (IEEE SSP 2015),
May 18-20, 2015, San Jose, CA, USA.
Gracewipe: Secure and Verifiable Deletion under Coercion.
L. Zhao and M. Mannan. Network and Distributed System Security Symposium (NDSS 2015),
Feb. 8-11, 2015, San Diego, CA, USA.
A First Look at the Usability of Bitcoin Key Management
S. Eskandari, D. Barrera, E. Stobert, and J. Clark. NDSS Workshop on Usable Security (USEC 2015),
Feb. 8, 2015, San Diego, CA, USA.

2014

Challenges and Implications of Verifiable Builds for Security-Critical Open-Source Software
X. de Carnavalet and M. Mannan. Annual Computer Security Applications Conference (ACSAC 2014),
Dec. 8-12, 2014, New Orleans, Louisiana, USA.
Baton: Certificate Agility for Android's Decentralized Signing Infrastructure
D. Barrera, D. McCarney, J. Clark, and P.C. van Oorschot. ACM Security and Privacy in Wireless and Mobile Networks (WiSec 2014),
July 23-25 2014, Oxford, UK.
On Decentralizing Prediction Markets and Order Books
J. Clark, J. Bonneau, E.W. Felten, J.A. Kroll, A. Miller, and A. Narayanan. Workshop on Economics of Information Security (WEIS 2014),
June 23-24, 2014, State College, PA, USA.
BackRef: Accountability in Anonymous Communication Networks
M. Backes, J. Clark, P. Druschel, A. Kate, and M. Simeonovski. Applied Cryptography and Network Security (ACNS 2014),
June 10-13, 2014, Switzerland.
Mixcoin: Anonymity for Bitcoin with Accountable Mixes
J. Bonneau, A. Narayanan, A. Miller, J. Clark, J.A. Kroll, and E.W. Felten. Financial Cryptography (FC 2014),
Mar. 3–7, 2014, Barbados.
From Very Weak to Very Strong: Analyzing Password Strength Meters
X. de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS 2014),
Feb. 23-26, 2014, San Diego, CA, USA.
Mobiflage: Deniable Storage Encryption for Mobile Devices
(Pre-print version: Dec. 2, 2013, © IEEE), DOI: 10.1109/TDSC.2013.56
A. Skillen, M. Mannan. IEEE Transactions on Dependable and Secure Computing (TDSC), Special Issue on "Security and Privacy in Mobile Platforms",
11(3):224-237, (May/June 2014).
Detection of Malicious Payload Distribution Channels in DNS
(Version: February 12, 2014, © IEEE)
A. Mert Kara, H. Binsalleeh, M. Mannan, A. Youssef, M. Debbabi. Communications and Information Systems Security Symposium (CISS), IEEE International Conference on Communications 2014 (ICC'14),
Sydney, Australia, June 10-14, 2014.
[Tech. Report] FriendlyMail: Confidential and Verified Emails among Friends
(Version: March 20, 2014)
A. Saberi Pirouz, V. Rabotka, M. Mannan. Spectrum, Concordia University.

2013

Explicit Authentication Response Considered Harmful
(Post-proceedings version: October 26, 2013). L. Zhao, M. Mannan. New Security Paradigms Workshop 2013 (NSPW'13),
Sept. 9-12, 2013, Banff, Canada.
On Implementing Deniable Storage Encryption for Mobile Devices
(Version: December 3, 2012). A. Skillen and M. Mannan. Network and Distributed System Security Symposium (NDSS'13),
Feb. 24-27, 2013, San Diego, CA, USA.
Eroding Trust and the CA Debacle
(Speaker, invited) J. Clark. USENIX Summit on Hot Topics in Security (HotSec 2013),
Aug. 13, 2013, Washington DC, USA.
SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements
J. Clark and P. C. van Oorschot. IEEE Symposium on Security and Privacy (IEEE SSP 2013),
May 18-20, 2013, San Jose, CA, USA.
[Tech. Report] Myphrase: Passwords from your Own Words
(Version: January 25, 2013),
A. Skillen, M. Mannan. Spectrum, Concordia University.

2012

Lightweight Client-side Methods for Detecting Email Forgery
(Version: July 23, 2012 © Springer),
E. Lin, J. Aycock, and M. Mannan. Workshop on Information Security Applications (WISA2012),
Aug. 16-18, 2012, Jeju Island, South Korea, LNCS Volume 7690, pp 254-269.
Passwords for Both Mobile and Desktop Computers: ObPwd for Firefox and Android
(Author copy, version: July 12, 2012),
M. Mannan, P.C. van Oorschot. USENIX,
login: 37(4): 28-37 (Aug. 2012).
Revisiting Defenses Against Large-Scale Online Password Guessing Attacks
(Pre-print version: Nov. 1, 2011, © IEEE),
M. Alsaleh, M. Mannan, P.C. van Oorschot. IEEE Transactions on Dependable and Secure Computing (TDSC),
9(1): 128-141 (Jan/Feb 2012).

2011

Unicorn: Two-Factor Attestation for Data Security
(Version: Aug. 11, 2011 © ACM),
M. Mannan, B.H. Kim, A. Ganjali, D. Lie. ACM Conference on Computer and Communications Security (CCS 2011),
Oct. 17-21, 2011, Chicago, IL, USA.
  • Seminar (David Lie): University of Texas, Austin, USA, Feb. 2, 2012 (Featured by The Daily Texan).
  • Workshop (David Lie): EaGL-SysNet, University at Buffalo, NY, USA, August 20, 2011.
  • Seminar: TechnoTalks, Vanier College, Montreal, Canada, Sept. 21, 2011.

Theses

Towards Usable and Fine-grained Security for HTTPS with Middleboxes
Abhimanyu Khanna -- M.A.Sc. Thesis -- Apr. 24, 2017
Detecting Privacy Leaks Through Existing Android Frameworks
Parul Khanna -- M.A.Sc. Thesis -- Apr. 18, 2017
BinType: A Scalable Type Inference Tool for Compiled C Programs
Briti Sundar Mondal -- M.A.Sc. Thesis -- Aug. 26, 2016
On Matching Binary to Source Code
Arash Shahkar -- M.A.Sc. Thesis -- Mar. 1, 2016
On End-to-end Encryption for Cloud-based Services
Suryadipta Majumdar -- M.A.Sc. Thesis -- Sept. 8, 2014
A Large-scale Evaluation of High-impact Password Strength Meters
Xavier de Carné de Carnavalet -- M.A.Sc. Thesis -- Apr. 7, 2014
Malicious Payload Distribution Channels in Domain Name System
A. Mert Kara -- M.A.Sc. Thesis -- Jan. 10, 2014
Securing Email through Online Social Networks
Atieh Saberi Pirouz -- M.A.Sc. Thesis -- Aug. 27, 2013
Deniable Storage Encryption for Mobile Devices
Adam Skillen -- M.A.Sc. Thesis -- Apr. 3, 2013

Bugs and Flaws

Following is a list of software flaws identified by the students in my group. To some vendors, these bugs may be "features". However, we still would like to publicly post them, so that individual users can take steps to secure their systems. In most cases, we contact the vendors and our university IT departments before making these disclosures.

Windows 7/8 installation-time admin password caching
Xavier de Carné de Carnavalet, 2013
Android device unlock secret recovery
Adam Skillen, 2012