IEEE Security & Privacy’s Special Issue on Software Everywhere


IEEE Security & Privacy‘s readers are concerned with not only security and privacy but also safety and dependability. This issue focuses on all four aspects of the technology we use daily.

To subscribe digitally to IEEE S&P magazine, go here.

IEEE Security&Privacy

Volume 14, Issue 1

From the Editors

Games without Frontiers: Whither Information Security and Privacy?

Ahmad-Reza Sadeghi

DOI: 10.1109/MSP.2016.16

Abstract: The past decade has clearly shown that even the best security solutions won’t eliminate threats once and for all, and that there will always be “unknown unknowns.” However, new large-scale technologies and threat types require novel, sophisticated solutions to meet our current and future security and privacy demands.


Silver Bullet Talks with Peiter (Mudge) Zatko

Gary McGraw, Cigital

DOI: 10.1109/MSP.2016.11

Abstract: Gary McGraw interviews Peiter Zatko, known in the security community as Mudge, about the origins of the L0pht hacker collective, managing cybersecurity projects for DARPA, and much more.

Guest Editor’s Introduction

Software Everywhere

Shari Lawrence Pfleeger

DOI: 10.1109/MSP.2016.10

Abstract: IEEE Security & Privacy‘s readers are concerned with not only security and privacy but also safety and dependability. In this issue, we focus on all four aspects of the technology we use daily.

Software Everywhere

Mettle Fatigue: VW’s Single-Point-of-Failure Ethics

Roland L. Trope, Trope and Schramm LLP
Eugene K. Ressler, US Military Academy Emeritus Faculty

DOI: 10.1109/MSP.2016.6 [paywall]

Abstract: After a year of denials, Volkswagen admitted in August/September 2015 that multiple makes and models of its diesel vehicles contained defeat device software. The decisions leading to “Dieselgate” involved a corruption of engineering ethics that the profession ought to address.

Software Everywhere

Looking into Software Transparency

Charles P. Pfleeger

DOI: 10.1109/MSP.2016.5 [paywall]

Abstract: A recent Volkswagen emissions incident has raised calls for greater transparency of the software on which much of modern life depends. The argument posed is that if the emissions control system code had been available for public scrutiny, someone would have seen the relevant segment and blown the whistle. However, this reasoning is faulty.

Software Everywhere

Learning Internet-of-Things Security “Hands-On”

Constantinos Kolias, George Mason University
Angelos Stavrou, George Mason University
Jeffrey Voas, National Institute of Standards and Technology
Irena Bojanova, National Institute of Standards and Technology
Richard Kuhn, National Institute of Standards and Technology

DOI: 10.1109/MSP.2016.4 [paywall]

Abstract: What can you glean from using inexpensive, off-the-shelf parts to create Internet of Things (IoT) use cases? As it turns out, a lot. The fast productization of IoT technologies is leaving users vulnerable to security and privacy risks.

Jamming Attacks

A Communications Jamming Taxonomy

Marc Lichtman, Virginia Tech
Jeffrey D. Poston, Virginia Tech
SaiDhiraj Amuru, Virginia Tech
Chowdhury Shahriar, Virginia Tech
T. Charles Clancy, Virginia Tech
R. Michael Buehrer, Virginia Tech
Jeffrey H. Reed, Virginia Tech

DOI: 10.1109/MSP.2016.13 [paywall]

Abstract: With the now widespread availability of software-defined radio technology for wireless networks, the distinction between jamming in the original electronic warfare sense and wireless cybersecurity attacks becomes hazy. A taxonomy delineates these concepts in the rapidly expanding field of wireless security, classifying communication jammers’ theoretical behaviors and characteristics.

Visual Privacy

Evaluating Protection Capability for Visual Privacy Information

Yuta Nakashima, Nara Institute of Science and Technology
Tomoaki Ikeno, Osaka University
Noboru Babaguchi, Osaka University

DOI: 10.1109/MSP.2016.3 [paywall]

Abstract: One way to prevent privacy intrusion is by blurring or blocking out facial images using image processing. However, this technique’s effectiveness depends on viewers’ familiarity with the subjects as well as on the subjects’ conspicuousness.

Crypto Corner

Fully Homomorphic Encryption: Computations with a Blindfold

Marc Beunardeau, École normale supérieure
Aisling Connolly, École normale supérieure
Rémi Géraud, École normale supérieure
David Naccache, École normale supérieure

DOI: 10.1109/MSP.2016.8 [paywall]

Abstract: To leverage the power of cloud computing, you can no longer encrypt data the traditional way. However, anyone (including the cloud service itself) can easily read unencrypted data. Fully homomorphic encryption reconciles this dilemma.

It All Depends

Binary Rejuvenation: Applications and Challenges

Angelos Oikonomopoulos, VU University Amsterdam
Cristiano Giuffrida, VU University Amsterdam
Sanjay Rawat, VU University Amsterdam
Herbert Bos, VU University Amsterdam

DOI: 10.1109/MSP.2016.20 [paywall]

Abstract: Software engineers have long performed source code rejuvenation, or rewriting of obsolete or outdated programming idioms to modern counterparts. Inspired by this practice, the authors propose binary rejuvenation by updating selected binary files.


Addressing Gender Gaps in Teens’ Cybersecurity Engagement and Self-Efficacy

Laura Amo, University at Buffalo

DOI: 10.1109/MSP.2016.12 [paywall]

Abstract: To increase women’s representation in technology careers, it’s important to spark and nurture their interest and confidence during middle and high school. A pilot study compares gender differences in cybersecurity self-efficacy and interest among teens at a five-day cybersecurity camp. Although males initially scored higher on the Cybersecurity Engagement and Self-Efficacy Scale, the females caught up by week’s end.

Basic Training

The DARPA Cyber Grand Challenge: A Competitor’s Perspective, Part 2

Jia Song, University of Idaho
Jim Alves-Foss, University of Idaho

DOI: 10.1109/MSP.2016.14 [paywall]

Abstract: DARPA initiated the Cyber Grand Challenge (CGC) in 2014 to encourage innovation in fully automated software vulnerability analysis and repair. In the June 2015 CGC Qualifying Event, the competitors’ automated systems were given one day to evaluate 131 challenges. The top seven teams, including the University of Idaho’s Center for Secure and Dependable Systems, will compete in the August 2016 CGC Final Event. This second of two CGC articles describes lessons learned about automated cybersecurity defensive systems.

Security & Privacy Economics

Action, Inaction, Trust, and Cybersecurity’s Common Property Problem

Karen Elliott, Newcastle University Business School
Fabio Massacci, University of Trento
Julian Williams, Durham University Business School

DOI: 10.1109/MSP.2016.2 [paywall]

Abstract: Cybersecurity tends to be viewed as a highly dynamic, continually evolving technology race between attacker and defender. However, economic theory suggests that in many cases doing “nothing” is the optimal strategy when substantial fixed adjustment costs are present. Indeed, the authors’ anecdotal experience as chief information security officers indicates that uncertain costs that might be incurred by rapid adoption of security updates substantially delay the application of recommended security controls, so the industry does appear to understand this economic aspect quite well. From a policy perspective, the inherently discontinuous adjustment path taken by firms can cause difficulties in determining the most effective public policy remit and the effectiveness of any enacted policies ex post. This article summarizes this type of policy issue in relation to the contemporary cybersecurity agenda.

Last Word

Cryptography Is Harder than It Looks

Bruce Schneier, Resilient Systems

DOI: 10.1109/MSP.2016.7

Abstract: Security vulnerabilities, whether deliberate back door access mechanisms or accidental flaws, make us all less secure. Getting security right is harder than it looks, and our best chance is to make the cryptography as simple and public as possible.