The Ghost in the Browser

Speaker: Niels Provos, Google

Abstract:
As more users are connected to the Internet and conduct their daily activities electronically, computer users have become the target of an underground economy that infects hosts with malware or adware for financial gain. Unfortunately, even a single visit to an infected web site enables the attacker to detect vulnerabilities in the user's applications and force the download a multitude of malware binaries. Frequently, this malware allows the adversary to gain full control of the compromised systems leading to the ex-filtration of sensitive information or installation of utilities that facilitate remote control of the host. We believe that such behavior is similar to our traditional understanding of botnets. However, the main difference is that web-based malware infections are pull-based and that the resulting command feedback loop is looser. To characterize the nature of this rising thread, this talk identifies the four prevalent mechanisms used to inject malicious content on popular web sites: web server security, user contributed content, advertising and third-party widgets. For each of these areas, the talk presents examples of abuse found on the Internet. Our aim is to present the state of malware on the Web and emphasize the importance of this rising threat.

Time: 25 September 2007 (Tuesday) at 1630 hrs
Location: Gates 4B (opposite 490)

Statistically Hiding Commitment from Any One-Way Function

Speaker: Iftach Haitner

Abstract:
A commitment scheme defines a two-stage interactive protocol between a sender and a receiver; informally, after the commit stage, the sender is bound to (at most) one value, which is not yet revealed to the receiver, and in the reveal stage the receiver finally learns this value. In a statistically-hiding computationally-binding commitment scheme (for short, statistical commitment) even an all-powerful receiver does not learn the value to which the sender commits before the reveal stage, while a polynomial-bounded sender is bound to at most one value after the commit stage.

Statistical commitment is a fundamental primitive in cryptography, it can be used as a building block in constructions of statistical zero-knowledge arguments and certain coin-tossing protocols. In particular, it implies, via standard reduction, a way to transform protocols that are secure assuming an all powerful honest-but-curious party, into one that is secure even when this party maliciously deviates from the protocol.

We give the first construction of statistically-hiding commitment schemes based on the minimal cryptographic assumption that one-way functions exist (previous constructions assume some structure on the functions, e.g. regularity). Our construction employs two-phase commitment schemes, recently constructed by Nguyen, Ong and Vadhan (FOCS '06), and universal one-way hash functions introduced and constructed by Naor and Yung (STOC '89) and Rompel (STOC '90).

Joint work with Omer Reingold

Time: 10 September 2007 (Monday) at 1630 hrs
Location: Gates 4B (opposite 490)