Found 5551 results

Filters: Keyword is pubcrawl  [Clear All Filters]
Nicho, M., Khan, S. N..  2018.  A Decision Matrix Model to Identify and Evaluate APT Vulnerabilities at the User Plane. 2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO). :1155-1160.
While advances in cyber-security defensive mechanisms have substantially prevented malware from penetrating into organizational Information Systems (IS) networks, organizational users have found themselves vulnerable to threats emanating from Advanced Persistent Threat (APT) vectors, mostly in the form of spear phishing. In this respect, the question of how an organizational user can differentiate between a genuine communication and a similar looking fraudulent communication in an email/APT threat vector remains a dilemma. Therefore, identifying and evaluating the APT vector attributes and assigning relative weights to them can assist the user to make a correct decision when confronted with a scenario that may be genuine or a malicious APT vector. In this respect, we propose an APT Decision Matrix model which can be used as a lens to build multiple APT threat vector scenarios to identify threat attributes and their weights, which can lead to systems compromise.
Khryashchev, Vladimir, Ivanovsky, Leonid, Priorov, Andrey.  2018.  Deep Learning for Real-Time Robust Facial Expression Analysis. Proceedings of the International Conference on Machine Vision and Applications. :66–70.
The aim of this investigation is to classify real-life facial images into one of six types of emotions. For solving this problem, we propose to use deep machine learning algorithms and convolutional neural network (CNN). CNN is a modern type of neural network, which allows for rapid detection of various objects, as well as to make an effective object classification. For acceleration of CNN learning stage, we use supercomputer NVIDIA DGX-1. This process was implemented in parallel on a large number of independent streams on GPU. Numerical experiments for algorithms were performed on the images of Multi-Pie image database with various lighting of scene and angle rotation of head. For developed models, several metrics of quality were calculated. The designing algorithm was used in real-time video processing in human-computer interaction systems. Moreover, expression recognition can apply in such fields as retail analysis, security, video games, animations, psychiatry, automobile safety, educational software, etc.
Verdoliva, Luisa.  2018.  Deep Learning in Multimedia Forensics. Proceedings of the 6th ACM Workshop on Information Hiding and Multimedia Security. :3–3.
With the widespread diffusion of powerful media editing tools, falsifying images and videos has become easier and easier in the last few years. Fake multimedia, often used to support fake news, represents a growing menace in many fields of life, notably in politics, journalism, and the judiciary. In response to this threat, the signal processing community has produced a major research effort. A large number of methods have been proposed for source identification, forgery detection and localization, relying on the typical signal processing tools. The advent of deep learning, however, is changing the rules of the game. On one hand, new sophisticated methods based on deep learning have been proposed to accomplish manipulations that were previously unthinkable. On the other hand, deep learning provides also the analyst with new powerful forensic tools. Given a suitably large training set, deep learning architectures ensure usually a significant performance gain with respect to conventional methods, and a much higher robustness to post-processing and evasions. In this talk after reviewing the main approaches proposed in the literature to ensure media authenticity, the most promising solutions relying on Convolutional Neural Networks will be explored with special attention to realistic scenarios, such as when manipulated images and videos are spread out over social networks. In addition, an analysis of the efficacy of adversarial attacks on such methods will be presented.
Zhang, Dajun, Yu, F. Richard, Yang, Ruizhe, Tang, Helen.  2018.  A Deep Reinforcement Learning-based Trust Management Scheme for Software-defined Vehicular Networks. Proceedings of the 8th ACM Symposium on Design and Analysis of Intelligent Vehicular Networks and Applications. :1–7.
Vehicular ad hoc networks (VANETs) have become a promising technology in intelligent transportation systems (ITS) with rising interest of expedient, safe, and high-efficient transportation. VANETs are vulnerable to malicious nodes and result in performance degradation because of dynamicity and infrastructure-less. In this paper, we propose a trust based dueling deep reinforcement learning approach (T-DDRL) for communication of connected vehicles, we deploy a dueling network architecture into a logically centralized controller of software-defined networking (SDN). Specifically, the SDN controller is used as an agent to learn the most trusted routing path by deep neural network (DNN) in VANETs, where the trust model is designed to evaluate neighbors' behaviour of forwarding routing information. Simulation results are presented to show the effectiveness of the proposed T-DDRL framework.
Wang, Bingning, Liu, Kang, Zhao, Jun.  2018.  Deep Semantic Hashing with Multi-Adversarial Training. Proceedings of the 27th ACM International Conference on Information and Knowledge Management. :1453–1462.
With the amount of data has been rapidly growing over recent decades, binary hashing has become an attractive approach for fast search over large databases, in which the high-dimensional data such as image, video or text is mapped into a low-dimensional binary code. Searching in this hamming space is extremely efficient which is independent of the data size. A lot of methods have been proposed to learn this binary mapping. However, to make the binary codes conserves the input information, previous works mostly resort to mean squared error, which is prone to lose a lot of input information [11]. On the other hand, most of the previous works adopt the norm constraint or approximation on the hidden representation to make it as close as possible to binary, but the norm constraint is too strict that harms the expressiveness and flexibility of the code. In this paper, to generate desirable binary codes, we introduce two adversarial training procedures to the hashing process. We replace the L2 reconstruction error with an adversarial training process to make the codes reserve its input information, and we apply another adversarial learning discriminator on the hidden codes to make it proximate to binary. With the adversarial training process, the generated codes are getting close to binary while also conserves the input information. We conduct comprehensive experiments on both supervised and unsupervised hashing applications and achieves a new state of the arts result on many image hashing benchmarks.
Lu, Chris Xiaoxuan, Du, Bowen, Zhao, Peijun, Wen, Hongkai, Shen, Yiran, Markham, Andrew, Trigoni, Niki.  2018.  Deepauth: In-situ Authentication for Smartwatches via Deeply Learned Behavioural Biometrics. Proceedings of the 2018 ACM International Symposium on Wearable Computers. :204–207.
This paper proposes DeepAuth, an in-situ authentication framework that leverages the unique motion patterns when users entering passwords as behavioural biometrics. It uses a deep recurrent neural network to capture the subtle motion signatures during password input, and employs a novel loss function to learn deep feature representations that are robust to noise, unseen passwords, and malicious imposters even with limited training data. DeepAuth is by design optimised for resource constrained platforms, and uses a novel split-RNN architecture to slim inference down to run in real-time on off-the-shelf smartwatches. Extensive experiments with real-world data show that DeepAuth outperforms the state-of-the-art significantly in both authentication performance and cost, offering real-time authentication on a variety of smartwatches.
Rouhani, Bita Darvish, Riazi, M. Sadegh, Koushanfar, Farinaz.  2018.  Deepsecure: Scalable Provably-secure Deep Learning. Proceedings of the 55th Annual Design Automation Conference. :2:1–2:6.
This paper presents DeepSecure, the an scalable and provably secure Deep Learning (DL) framework that is built upon automated design, efficient logic synthesis, and optimization methodologies. DeepSecure targets scenarios in which neither of the involved parties including the cloud servers that hold the DL model parameters or the delegating clients who own the data is willing to reveal their information. Our framework is the first to empower accurate and scalable DL analysis of data generated by distributed clients without sacrificing the security to maintain efficiency. The secure DL computation in DeepSecure is performed using Yao's Garbled Circuit (GC) protocol. We devise GC-optimized realization of various components used in DL. Our optimized implementation achieves up to 58-fold higher throughput per sample compared with the best prior solution. In addition to the optimized GC realization, we introduce a set of novel low-overhead pre-processing techniques which further reduce the GC overall runtime in the context of DL. Our extensive evaluations demonstrate up to two orders-of-magnitude additional runtime improvement achieved as a result of our pre-processing methodology.
Fang, Yong, Li, Yang, Liu, Liang, Huang, Cheng.  2018.  DeepXSS: Cross Site Scripting Detection Based on Deep Learning. Proceedings of the 2018 International Conference on Computing and Artificial Intelligence. :47-51.
Nowadays, Cross Site Scripting (XSS) is one of the major threats to Web applications. Since it's known to the public, XSS vulnerability has been in the TOP 10 Web application vulnerabilities based on surveys published by the Open Web Applications Security Project (OWASP). How to effectively detect and defend XSS attacks are still one of the most important security issues. In this paper, we present a novel approach to detect XSS attacks based on deep learning (called DeepXSS). First of all, we used word2vec to extract the feature of XSS payloads which captures word order information and map each payload to a feature vector. And then, we trained and tested the detection model using Long Short Term Memory (LSTM) recurrent neural networks. Experimental results show that the proposed XSS detection model based on deep learning achieves a precision rate of 99.5% and a recall rate of 97.9% in real dataset, which means that the novel approach can effectively identify XSS attacks.
Francalino, Wagner, Callado, Arthur de Castro, Jucá, Paulyne Matthews.  2018.  Defining and Implementing a Test Automation Strategy in an IT Company. Proceedings of the Euro American Conference on Telematics and Information Systems. :40:1–40:5.
Software testing is very important for software quality assurance. However, the test activity is not a simple task and requires good planning to be successful. It is in this context that the automation of tests gains importance. This paper presents the experience of defining and implementing a test automation strategy for functional tests based on the Brazilian Test Process Improvement Model (MPT.Br) in an IT company. The results of this work include the improvement of the testing process used by the company, the increase in the test coverage and the reduction of time used to perform regression tests.
Guerriero, Michele, Tamburri, Damian Andrew, Di Nitto, Elisabetta.  2018.  Defining, Enforcing and Checking Privacy Policies in Data-Intensive Applications. Proceedings of the 13th International Conference on Software Engineering for Adaptive and Self-Managing Systems. :172-182.
The rise of Big Data is leading to an increasing demand for large-scale data-intensive applications (DIAs), which have to analyse massive amounts of personal data (e.g. customers' location, cars' speed, people heartbeat, etc.), some of which can be sensitive, meaning that its confidentiality has to be protected. In this context, DIA providers are responsible for enforcing privacy policies that account for the privacy preferences of data subjects as well as for general privacy regulations. This is the case, for instance, of data brokers, i.e. companies that continuously collect and analyse data in order to provide useful analytics to their clients. Unfortunately, the enforcement of privacy policies in modern DIAs tends to become cumbersome because (i) the number of policies can easily explode, depending on the number of data subjects, (ii) policy enforcement has to autonomously adapt to the application context, thus, requiring some non-trivial runtime reasoning, and (iii) designing and developing modern DIAs is complex per se. For the above reasons, we need specific design and runtime methods enabling so called privacy-by-design in a Big Data context. In this article we propose an approach for specifying, enforcing and checking privacy policies on DIAs designed according to the Google Dataflow model and we show that the enforcement approach behaves correctly in the considered cases and introduces a performance overhead that is acceptable given the requirements of a typical DIA.
Chen, Muhao, Zhao, Qi, Du, Pengyuan, Zaniolo, Carlo, Gerla, Mario.  2018.  Demand-driven Cache Allocation Based on Context-aware Collaborative Filtering. Proceedings of the Eighteenth ACM International Symposium on Mobile Ad Hoc Networking and Computing. :302–303.
Many recent advances of network caching focus on i) more effectively modeling the preferences of a regional user group to different web contents, and ii) reducing the cost of content delivery by storing the most popular contents in regional caches. However, the context under which the users interact with the network system usually causes tremendous variations in a user group's preferences on the contents. To effectively leverage such contextual information for more efficient network caching, we propose a novel mechanism to incorporate context-aware collaborative filtering into demand-driven caching. By differentiating the characterization of user interests based on a priori contexts, our approach seeks to enhance the cache performance with a more dynamic and fine-grained cache allocation process. In particular, our approach is general and adapts to various types of context information. Our evaluation shows that this new approach significantly outperforms previous non-demand-driven caching strategies by offering much higher cached content rate, especially when utilizing the contextual information.
Psallidas, Fotis, Wu, Eugene.  2018.  Demonstration of Smoke: A Deep Breath of Data-Intensive Lineage Applications. Proceedings of the 2018 International Conference on Management of Data. :1781–1784.
Data lineage is a fundamental type of information that describes the relationships between input and output data items in a workflow. As such, an immense amount of data-intensive applications with logic over the input-output relationships can be expressed declaratively in lineage terms. Unfortunately, many applications resort to hand-tuned implementations because either lineage systems are not fast enough to meet their requirements or due to no knowledge of the lineage capabilities. Recently, we introduced a set of implementation design principles and associated techniques to optimize lineage-enabled database engines and realized them in our prototype database engine, namely, Smoke. In this demonstration, we showcase lineage as the building block across a variety of data-intensive applications, including tooltips and details on demand; crossfilter; and data profiling. In addition, we show how Smoke outperforms alternative lineage systems to meet or improve on existing hand-tuned implementations of these applications.
Senthivel, Saranyan, Dhungana, Shrey, Yoo, Hyunguk, Ahmed, Irfan, Roussev, Vassil.  2018.  Denial of Engineering Operations Attacks in Industrial Control Systems. Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. :319–329.
We present a new type of attack termed denial of engineering operations in which an attacker can interfere with the normal cycle of an engineering operation leading to a loss of situational awareness. Specifically, the attacker can deceive the engineering software during attempts to retrieve the ladder logic program from a programmable logic controller (PLC) by manipulating the ladder logic on the PLC, such that the software is unable to process it while the PLC continues to execute it successfully. This attack vector can provide sufficient cover for the attacker»s actual scenario to play out while the owner tries to understand the problem and reestablish positive operational control. To enable the forensic analysis and, eventually, eliminate the threat, we have developed the first decompiler for ladder logic programs. Ladder logic is a graphical programming language for PLCs that control physical processes such as power grid, pipelines, and chemical plants; PLCs are a common target of malicious modifications leading to the compromise of the control behavior (and potentially serious consequences). Our decompiler, Laddis, transforms a low-level representation to its corresponding high-level original representation comprising of graphical symbols and connections. The evaluation of the accuracy of the decompiler on the program of varying complexity demonstrates perfect reconstruction of the original program. We present three new attack scenarios on PLC-deployed ladder logic and demonstrate the effectiveness of the decompiler on these scenarios.
Cornelissen, Laurenz A., Barnett, Richard J, Kepa, Morakane A. M., Loebenberg-Novitzkas, Daniel, Jordaan, Jacques.  2018.  Deploying South African Social Honeypots on Twitter. Proceedings of the Annual Conference of the South African Institute of Computer Scientists and Information Technologists. :179-187.
Inspired by the simple, yet effective, method of tweeting gibberish to attract automated social agents (bots), we attempt to create localised honeypots in the South African political context. We produce a series of defined techniques and combine them to generate interactions from users on Twitter. The paper offers two key contributions. Conceptually, an argument is made that honeypots should not be confused for bot detection methods, but are rather methods to capture low-quality users. Secondly, we successfully generate a list of 288 local low quality users active in the political context.
Ammar, Zakariya, AlSharif, Ahmad.  2018.  Deployment of IoT-based Honeynet Model. Proceedings of the 6th International Conference on Information Technology: IoT and Smart City. :134–139.
This paper deals with the developing model of a honeynet that depends on the Internet of things (IoT). Due to significant of industrial services, such model helps enhancement of information security detection in industrial domain, the model is designed to detect adversaries whom attempt to attack industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. The model consists of hardware and software aspects, designed to focus on ICS services that managed remotely via SCADA systems. In order to prove the work of the model, a few of security tools are used such as Shodan, Nmap and others. These tools have been applied locally inside LAN and globally via internet to get proving results. Ultimately, results contain a list of protocols and ports that represent industry control services. To clarify outputs, it contains tcp/udp ports 623, 102, 1025 and 161 which represent respectively IPMI, S7comm, KAMSTRAP and SNMP services.
Morris, Alexis, Lessio, Nadine.  2018.  Deriving Privacy and Security Considerations for CORE: An Indoor IoT Adaptive Context Environment. Proceedings of the 2Nd International Workshop on Multimedia Privacy and Security. :2–11.
The internet-of-things (IoT) consists of embedded devices and their networks of communication as they form decentralized frameworks of ubiquitous computing services. Within such decentralized systems the potential for malicious actors to impact the system is significant, with far-reaching consequences. Hence this work addresses the challenge of providing IoT systems engineers with a framework to elicit privacy and security design considerations, specifically for indoor adaptive smart environments. It introduces a new ambient intelligence indoor adaptive environment framework (CORE) which leverages multiple forms of data, and aims to elicit the privacy and security needs of this representative system. This contributes both a new adaptive IoT framework, but also an approach to systematically derive privacy and security design requirements via a combined and modified OCTAVE-Allegro and Privacy-by-Design methodology. This process also informs the future developments and evaluations of the CORE system, toward engineering more secure and private IoT systems.
Azhagumurgan, R., Sivaraman, K., Ramachandran, S. S., Yuvaraj, R., Veeraraghavan, A. K..  2018.  Design and Development of Acoustic Power Transfer Using Infrasonic Sound. 2018 International Conference on Power, Energy, Control and Transmission Systems (ICPECTS). :43–46.
Wireless transmission of power has been in research for over a century. Our project aims at transmitting electric power over a distance of room. Various methods using microwaves, lasers, inductive coupling, capacitive coupling and acoustic medium have been used. In our project, we are majorly focusing on acoustic method of transferring power. Previous attempts of transferring power using acoustic methods have employed the usage of ultrasonic sound. In our project, we are using infrasonic sound as a medium to transfer electrical power. For this purpose, we are using suitable transducers and converters to transmit electric power from the 220V AC power supply to a load over a considerable distance. This technology can be used to wirelessly charge various devices more effectively.
Ayers, Hudson, Crews, Paul Thomas, Teo, Hubert Hua Kian, McAvity, Conor, Levy, Amit, Levis, Philip.  2018.  Design Considerations for Low Power Internet Protocols. Proceedings of the 16th ACM Conference on Embedded Networked Sensor Systems. :317–318.
Examining implementations of the 6LoWPAN Internet Standard in major embedded operating systems, we observe that they do not fully interoperate. We find this is due to some inherent design flaws in 6LoWPAN. We propose and demonstrate four principles that can be used to structure protocols for low power devices that encourage interoperability between diverse implementations.
Imran, Laiqa Binte, Farhan, Muhammad, Latif, Rana M. Amir, Rafiq, Ahsan.  2018.  Design of an IoT Based Warfare Car Robot Using Sensor Network Connectivity. Proceedings of the 2Nd International Conference on Future Networks and Distributed Systems. :55:1–55:8.
Robots remain the focus of researchers and developers, and now they are moving towards IoT based devices and mobile robots to take advantage of the different sensor enables facilities. A robot is a machine capable of carrying out a complex series of actions automatically, especially one programmable by a computer. A robot can be controlled by a human and can be modified by its functionality at runtime by the operator. From past few decades, researchers are contributing towards Robotics. There is no end of technology, creativity, and innovation. The project is designed to develop a robot using android application for remote operation attached to the wireless camera for monitoring purpose. Surveillance using the camera can help the soldier team to make strategies at run-time. This kind of robot can be helpful for spying purpose in war fields. The android application loaded on mobile devices can connect to the security system and easy to use GUI and visualization of the Warfield. The security system then acts on these commands and responds to the user. The camera and the motion detector are attached to the system for remote surveillance using wireless protocol 802.11, ZigBee and Bluetooth protocols. This robot is having the functionality of mines detection, object detection, GPS used for location and navigation and a gun to fire the enemy at the runtime.
Zhang, Xiaoxi, Yin, Yong.  2018.  Design of Training Platform for Manned Submersible Vehicle Based on Virtual Reality Technology. Proceedings of the 31st International Conference on Computer Animation and Social Agents. :90-94.
Aiming at the problems of long training time, high cost and high risk existing in the deep working oceanauts, this paper, based on virtual reality technology, designed and developed the simulation system of diving and underwater operation process of Jiaolong which possesses multiple functions and good interactivity. Through the research on the motion model of A-frame swing, use Unity3D engine to develop the interactive simulation of diving and underwater operation process of Jiaolong after the 3D model of Jiaolong and mother ship was built by 3DMax. On the basis of giving full consideration to user experience, the real situation of diving and underwater operation process of Jiaolong was simulated, and the interactive manipulation function was realized.
Ha, Taehyun, Lee, Sangwon, Kim, Sangyeon.  2018.  Designing Explainability of an Artificial Intelligence System. Proceedings of the Technology, Mind, and Society. :14:1–14:1.
Explainability and accuracy of the machine learning algorithms usually laid on a trade-off relationship. Several algorithms such as deep-learning artificial neural networks have high accuracy but low explainability. Since there were only limited ways to access the learning and prediction processes in algorithms, researchers and users were not able to understand how the results were given to them. However, a recent project, explainable artificial intelligence (XAI) by DARPA, showed that AI systems can be highly explainable but also accurate. Several technical reports of XAI suggested ways of extracting explainable features and their positive effects on users; the results showed that explainability of AI was helpful to make users understand and trust the system. However, only a few studies have addressed why the explainability can bring positive effects to users. We suggest theoretical reasons from the attribution theory and anthropomorphism studies. Trough a review, we develop three hypotheses: (1) causal attribution is a human nature and thus a system which provides casual explanation on their process will affect users to attribute the result of system; (2) Based on the attribution results, users will perceive the system as human-like and which will be a motivation of anthropomorphism; (3) The system will be perceived by the users through the anthropomorphism. We provide a research framework for designing causal explainability of an AI system and discuss the expected results of the research.
Shehu, Yahaya Isah, James, Anne, Palade, Vasile.  2018.  Detecting an Alteration in Biometric Fingerprint Databases. Proceedings of the 2Nd International Conference on Digital Signal Processing. :6–11.
Assuring the integrity of biometric fingerprint templates in fingerprint databases is of paramount importance. Fingerprint templates contain a set of fingerprint minutiae which are various points of interest in a fingerprint. Most times, it is assumed that the stored biometric fingerprint templates are well protected and, as such, researchers are more concerned with improving/developing biometric systems that will not suffer from an unacceptable rate of false alarms and/or missed detections. The introduction of forensic techniques into biometrics for biometric template manipulation detection is of great importance and little research has been carried in this area. This paper investigates possible forensic techniques that could be used for stored biometric fingerprint templates tampering detection. A Support Vector Machine (SVM) classification approach is used for this task. The original and tampered templates are used to train the SVM classifier. The fingerprint datasets from the Biometrics Ideal Test (BIT) [13] are used for training and testing the classifier. Our proposed approach detects alterations with an accuracy of 90.5%.
Choi, Hongjun, Lee, Wen-Chuan, Aafer, Yousra, Fei, Fan, Tu, Zhan, Zhang, Xiangyu, Xu, Dongyan, Deng, Xinyan.  2018.  Detecting Attacks Against Robotic Vehicles: A Control Invariant Approach. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. :801–816.
Robotic vehicles (RVs), such as drones and ground rovers, are a type of cyber-physical systems that operate in the physical world under the control of computing components in the cyber world. Despite RVs' robustness against natural disturbances, cyber or physical attacks against RVs may lead to physical malfunction and subsequently disruption or failure of the vehicles' missions. To avoid or mitigate such consequences, it is essential to develop attack detection techniques for RVs. In this paper, we present a novel attack detection framework to identify external, physical attacks against RVs on the fly by deriving and monitoring Control Invariants (CI). More specifically, we propose a method to extract such invariants by jointly modeling a vehicle's physical properties, its control algorithm and the laws of physics. These invariants are represented in a state-space form, which can then be implemented and inserted into the vehicle's control program binary for runtime invariant check. We apply our CI framework to eleven RVs, including quadrotor, hexarotor, and ground rover, and show that the invariant check can detect three common types of physical attacks – including sensor attack, actuation signal attack, and parameter attack – with very low runtime overhead.
Kaur, Gurpreet, Malik, Yasir, Samuel, Hamman, Jaafar, Fehmi.  2018.  Detecting Blind Cross-Site Scripting Attacks Using Machine Learning. Proceedings of the 2018 International Conference on Signal Processing and Machine Learning. :22–25.
Cross-site scripting (XSS) is a scripting attack targeting web applications by injecting malicious scripts into web pages. Blind XSS is a subset of stored XSS, where an attacker blindly deploys malicious payloads in web pages that are stored in a persistent manner on target servers. Most of the XSS detection techniques used to detect the XSS vulnerabilities are inadequate to detect blind XSS attacks. In this research, we present machine learning based approach to detect blind XSS attacks. Testing results help to identify malicious payloads that are likely to get stored in databases through web applications.
Facon, A., Guilley, S., Lec'Hvien, M., Schaub, A., Souissi, Y..  2018.  Detecting Cache-Timing Vulnerabilities in Post-Quantum Cryptography Algorithms. 2018 IEEE 3rd International Verification and Security Workshop (IVSW). :7-12.
When implemented on real systems, cryptographic algorithms are vulnerable to attacks observing their execution behavior, such as cache-timing attacks. Designing protected implementations must be done with knowledge and validation tools as early as possible in the development cycle. In this article we propose a methodology to assess the robustness of the candidates for the NIST post-quantum standardization project to cache-timing attacks. To this end we have developed a dedicated vulnerability research tool. It performs a static analysis with tainting propagation of sensitive variables across the source code and detects leakage patterns. We use it to assess the security of the NIST post-quantum cryptography project submissions. Our results show that more than 80% of the analyzed implementations have at least one potential flaw, and three submissions total more than 1000 reported flaws each. Finally, this comprehensive study of the competitors security allows us to identify the most frequent weaknesses amongst candidates and how they might be fixed.