Mar 302015

I have been invited to act as co-chair for TRUST 2015.

TRUST 2015 ( is an international conference on the technical and socio-economic aspects of trustworthy infrastructures. It provides an excellent interdisciplinary forum for researchers, practitioners, and decision makers to explore new ideas and discuss experiences in building, designing, using and understanding trustworthy computing systems.


Important dates:

Submission due: 7 May 2015                                         Camera ready: 21 June 2015

Notification: 10 June 2015                                              Conference: 25 August 2015


The conference solicits original papers on any aspect (technical, social or socio-economic) of the design, application and usage of trusted and trustworthy computing. Papers can address design, application and usage of trusted and trustworthy computing in a broad range of concepts including, but not limited to, trustworthy infrastructures, cloud computing, services, hardware, software and protocols.

Two types of submissions are solicited:

  • Full papers (up to 18 pages in LNCS format) that report on in-depth, mature research results;
  • Short papers (up to 9 pages in LNCS format) that describe brief results or exciting work-in-progress.


The conference includes a technical and a socioeconomic strand. Full list of topics at
New topics for 2015 are

  • Applications as well as security analysis of trusted computing. We particularly encourage early explorations and results on new paradigms or emerging technologies (e.g., Intel SGX)
  • Trust, Security and Privacy in embedded systems and IoT systems
  • Trust in the Web: protocols and implementations of mechanisms to measure and leverage trust from the web (e.g., using social networks to establish trust for other services)
Sep 262014

The CfP:

Important dates

31 October 2014:
Deadline for expressions of interest or position papers (via email)
and registration (form available soon)
Within the limit of room capacity, people that have submitted a position paper and registered can attend

7 November 2014:
Program and position papers posted on the workshop website

20-21 November 2014:

Expressions of interest and position papers are due 10 October. Participation is free and open to all. Learn more about how to participate.

We are currently facing the transformation of the Web towards a more mobile use. These days, more users access the internet using their mobile devices than using conventional computers (notebooks, desktops, etc). It can be observed that web based services are used on mobile devices more often and more intensely. Mobile devices tend to be always on. At the same time these mobile devices are extremely personal devices: we carry them with us almost constantly, and we use them as personal assistants, trainers, banking terminals, memory-extenders and more. Smartphones know many details about our life: They know our location, carry a unique number, pictures and other very private information. They have a microphone and a camera.

As a result, privacy is a common concern with mobile devices and the mobile Web. A recent documentary from ARTE in cooperation with the CNIL and INRIA showed how apps acquire, consume and distribute user data. Often, not all the data gathered is really needed for the functioning of the application.

As a result, the user’s trust will evolve with the issues on privacy and security in the Open Web Platform. A great potential is wasted because the lacking trust leads to collection restrictions in various forms, being it ad blockers, stickers on cameras, metallic cases, removable batteries or just regulation. Instead, we should give users more tools to allow them to feel confident and in control. One the one hand, rigid restriction will also spoil opportunities including location based services, predictive agents, statistics for better product planning, the Internet of things or big data. On the other hand, services have to take the user’s fear seriously and communicate their intentions in a comprehensive way. There will be an ever more increased need to be transparent about what happens to the users’ data.

The Workshop on trust and permissions for Web applications, that was held in Paris on 3-4 September 2014 has provided insights on a way for a roadmap towards a broad consensus on trust and permission handling for the Open Web Platform. There was agreement, that browsers are in a position to examine the APIs used by a given app and apply heuristics to determine signs of attempts to “finger print” the device. This could be flagged to the user as well as to potential reviewers. Already in March, the STRINT workshop addressed issues of pervasive monitoring.

User studies have shown that users are more interested in what sites plan to do with the data they collect rather than with the full space of possibilities arising from the use of APIs. It is unreasonable to expect end users to understand lengthy terms of conditions and privacy policies. While the Paris Workshop explored models how to delegate trust decisions, this Workshop will explore ways to directly help the user understand what is going on. This includes appropriate ways of translating complex issues involving fine grained permissions in APIs into something that users understand.
Workshop Goals & Topics

The Workshop on User Centric App Controls intents to further the discussion among stakeholders of the mobile web platform, including researchers, developers and service providers. This workshop serves to investigate strategies toward better privacy protection on the Web that are effective and lead to benefits in the near term. This includes discussing basic privacy UI features that will, on the long run, create a user experience that loops with user expectations. We expect certain controls and dashboards in a car. Perhaps we can create a similar clarity for the privacy dashboard of our devices.

The Workshop is user centric as it will also look at user experience, user behavior and how we can offer controls that provide the necessary transparency of privacy-affecting interactions. But it also addresses app developers and the need for usable and implementable APIs to address privacy protection within the Open Web Platform that allow developers to address user’s privacy needs.

State management

Improving the UI for stateful services, overview of states
Defaults for expiration of stateful situations
How to convey state information to the User
How to deal with logging and how to provide interfaces for logged data?

Mobile Interfaces

Requirements for private browsing on mobile
A privacy ontology for mobile apps and their use of personal data
The value of privacy in paradigms for mobile UI
Helpers to understand the privacy impact or a privacy policy
Machine assisted lying to counter unfair data requests


Selective release of personal information to apps
Controlling the geo-location interfaces, including UI challenges
enforcing data expiry
What data should remain on the device, what can be stored into the cloud?

Who Should Attend?

Researchers with an interest in mobile privacy
UI and UX experts interested in privacy interfaces
Browser makers
App developers
Device vendors
Network operators
Cloud platform vendors with an interest in mobile interfaces to their services
Governments and regulatory agencies interested in evolving the regulatory framework for privacy to respond to mobile challenges

Questions? Rigo Wenning <>

Sep 152014

“Updaticator: Updating Billions of Devices by an Efficient, Scalable and Secure Software Update Distribution Over Untrusted Cache-enabled Networks”; M. Ambrosin, C. Busold, M. Conti, A. Sadeghi, M. Schunter, accepted at ESORICS 2014.

Secure and fast distribution of software updates and patches is essential for securing systems. Today, each device downloads updates individually from a software provider distribution server. This approach does not scale to large systems with billions of devices where the network bandwidth of the server and the local Internet gateway soon become bottlenecks. Cache-enabled Network (CN) services (either proprietary, as Akamai, or open Content-Distribution Networks) can reduce these bottlenecks. However, currently they do not offer security guarantees against potentially untrusted CN provider that try to threaten the confidentiality of the updates or the privacy of the users.
In this paper, we propose Updaticator, the first protocol for software updates over Cache-enabled Networks that is scalable to billions of concurrent device updates while being secure against malicious networks. We evaluate our proposal considering Named-Data Networking, a novel instance of Cache-enabled overlay Networks. Our analysis and experimental evaluation show that our solution removes the bottlenecks of individual device-update distribution, by reducing the network load at the distribution server from linear in the number of devices to a constant even if billions of devices are requesting updates. Furthermore, the download time is negligible due to local caching when compared to the state-of-the-art individual device-update mechanisms. Thus, our solution makes secure updates practical even for a large number of devices.

Download (PDF, 464KB)

Aug 212014

I am participating in the program committee of SEGS2014.


The 2nd Smart Energy Grid Security (SEGS) Workshop aims to foster innovative research and discussion about smart energy grid security and privacy challenges, approaches, and solutions. SEGS’14 takes places in Scottsdale, Arizona in conjunction with ACM CCS 2014.

SEGS seeks paper submissions from academia, industry, and government institutions presenting novel research on all theoretical and practical aspects of smart grid security and privacy, including design, analysis, experimentation, and fielded systems. We encourage submissions from other communities, such as law, economics, and HCI, that present these communities’ perspectives on technological issues.

The scope of the workshop encompasses all aspects of the smart grid, including distribution, transmission, generation, metering, e-mobility, and integration of distributed energy resources.

Apr 052014

I will serve as a program committee member of the 20th IEEE International Conference on Parallel and Distributed Systems (ICPADS 2014).

The call for papers can be found at


Important Dates

  • On-line submission system open: April 10, 2014
  • Deadline for paper submissions: July 1, 2014
  • Notification of paper acceptance: September 2, 2014
  • Deadline for author registration: October 7, 2014
  • Deadline of camera-ready version: October 11, 2014


Important dates are:

Dec 292013

November 2013, we have kicked off our new EU Research project PRACTICE.

“The mission of PRACTICE is to design cloud computing technologies that allow computations in the cloud thus enabling new business processes while keeping the used data secret. Unlike today – where insiders can access sensitive data – PRACTICE will prevent cloud providers and other unauthorized parties from obtaining secret or sensitive information.”