129 matches found
undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server...
Verifiable Unlearning on Edge
Machine learning providers commonly distribute global models to edge devices, which subsequently personalize these models using local data. However, issues such as copyright infringements, biases, or regulatory requirements may require the verifiable removal of certain data samples across all edg...
SecurityLingua: Efficient Defense of LLM Jailbreak Attacks Via Security-Aware Prompt Compression
Large language models LLMs have achieved widespread adoption across numerous applications. However, many LLMs are vulnerable to malicious attacks even after safety alignment. These attacks typically bypass LLMs' safety guardrails by wrapping the original malicious instructions inside adversarial...
Quantum Enhanced Entropy Pool for Cryptographic Applications and Proofs
This paper investigates the integration of quantum randomness into Verifiable Random Functions VRFs using the Ed25519 elliptic curve to strengthen cryptographic security. By replacing traditional pseudorandom number generators with quantum entropy sources, we assess the impact on key security and...
Excessive Reasoning Attack on Reasoning LLMs
Recent reasoning large language models LLMs, such as OpenAI o1 and DeepSeek-R1, exhibit strong performance on complex tasks through test-time inference scaling. However, prior studies have shown that these models often incur significant computational costs due to excessive reasoning, such as...
Detecting Hardware Trojans in Microprocessors via Hardware Error Correction Code-based Modules
Software-exploitable Hardware Trojans HTs enable attackers to execute unauthorized software or gain illicit access to privileged operations. This manuscript introduces a hardware-based methodology for detecting runtime HT activations using Error Correction Codes ECCs on a RISC-V microprocessor...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the listNames function. An attacker can cause significant CPU consumption and degrade server performance by supplying a crafted regular expression and influencing the set of resource names...
Tech-ASan: Two-Stage Check for Address Sanitizer
Address Sanitizer ASan is a sharp weapon for detecting memory safety violations, including temporal and spatial errors hidden in C/C++ programs during execution. However, ASan incurs significant runtime overhead, which limits its efficiency in testing large software. The overhead mainly comes fro...
ObfusBFA: a Holistic Approach to Safeguarding DNNs from Different Types of Bit-Flip Attacks
Bit-flip attacks BFAs represent a serious threat to Deep Neural Networks DNNs, where flipping a small number of bits in the model parameters or binary code can significantly degrade the model accuracy or mislead the model prediction in a desired way. Existing defenses exclusively focus on...
Important: Red Hat Security Advisory: perl-FCGI:0.78 security update
An update for the perl-FCGI:0.78 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Red Hat Product Security has rate...
ZTaint-Havoc: from Havoc Mode to Zero-Execution Fuzzing-Driven Taint Inference
Fuzzing is a widely used technique for discovering software vulnerabilities, but identifying hot bytes that influence program behavior remains challenging. Traditional taint analysis can track such bytes white-box, but suffers from scalability issue. Fuzzing-Driven Taint Inference FTI offers a...
NanoZone: Scalable, Efficient, and Secure Memory Protection for Arm CCA
Arm Confidential Computing Architecture CCA currently isolates at the granularity of an entire Confidential Virtual Machine CVM, leaving intra-VM bugs such as Heartbleed unmitigated. The state-of-the-art narrows this to the process level, yet still cannot stop attacks that pivot within the same...
ARIANNA: an Automatic Design Flow for Fabric Customization and EFPGA Redaction
In the modern global Integrated Circuit IC supply chain, protecting intellectual property IP is a complex challenge, and balancing IP loss risk and added cost for theft countermeasures is hard to achieve. Using embedded configurable logic allows designers to completely hide the functionality of...
Compact and Selective Disclosure for Verifiable Credentials
Self-Sovereign Identity SSI is a novel identity model that empowers individuals with full control over their data, enabling them to choose what information to disclose, with whom, and when. This paradigm is rapidly gaining traction worldwide, supported by numerous initiatives such as the European...
Safety Alignment Can Be Not Superficial with Explicit Safety Signals
Recent studies on the safety alignment of large language models LLMs have revealed that existing approaches often operate superficially, leaving models vulnerable to various adversarial attacks. Despite their significance, these studies generally fail to offer actionable solutions beyond data...
Shill Bidding Prevention in Decentralized Auctions Using Smart Contracts
In online auctions, fraudulent behaviors such as shill bidding pose significant risks. This paper presents a conceptual framework that applies dynamic, behavior-based penalties to deter auction fraud using blockchain smart contracts. Unlike traditional post-auction detection methods, this approac...
Zero-Trust Mobility-Aware Authentication Framework for Secure Vehicular Fog Computing Networks
Vehicular Fog Computing VFC is a promising paradigm to meet the low-latency and high-bandwidth demands of Intelligent Transportation Systems ITS. However, dynamic vehicle mobility and diverse trust boundaries introduce critical security challenges. This paper presents a novel Zero-Trust...
When Mitigations Backfire: Timing Channel Attacks and Defense for PRAC-Based RowHammer Mitigations
Per Row Activation Counting PRAC has emerged as a robust framework for mitigating RowHammer RH vulnerabilities in modern DRAM systems. However, we uncover a critical vulnerability: a timing channel introduced by the Alert Back-Off ABO protocol and Refresh Management RFM commands. We present...
Privacy-Preserving Runtime Verification
Runtime verification offers scalable solutions to improve the safety and reliability of systems. However, systems that require verification or monitoring by a third party to ensure compliance with a specification might contain sensitive information, causing privacy concerns when usual runtime...
Area Comparison of CHERIoT and PMP in Ibex
Memory safety is a critical concern for modern embedded systems, particularly in security-sensitive applications. This paper explores the area impact of adding memory safety extensions to the Ibex RISC-V core, focusing on physical memory protection PMP and Capability Hardware Extension to RISC-V...