M. Mannan - Publications

• DBLP (co-author graph)
• Citations via Google Scholar
• List by year

Trusted Computing and Data Security

• DeviceVeil: Robust Authentication for Individual USB Devices Using Physical Unclonable Functions. Kuniyasu Suzaki, Yohei Hori, Kazukuni Kobara, M. Mannan. IEEE/IFIP Dependable Systems and Networks (DSN 2019), June 24-27, 2019. Portland, Oregon, USA.
• TEE-aided Write Protection Against Privileged Data Tampering. L. Zhao, M. Mannan. Network and Distributed System Security Symposium (NDSS 2019), Feb. 24-27, 2019, San Diego, CA, USA.
  • Selected press (Montreal Gazette, La Presse, CTV, CBC, The Suburban)
• One-Time Programs Made Practical. L. Zhao, J. Choi, D. Demirag, K. Butler, M. Mannan, E. Ayday, J. Clark. Financial Cryptography and Data Security (FC 2019), Feb. 18-22, 2019, St. Kitts.
• Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials. A. Kurnikov, A. Paverd, M. Mannan, N. Asokan. Workshop on Security, Privacy, and Identity Management in the Cloud (SECPID at ARES EU Projects Symposium 2018), Aug. 27-30, 2018, Hamburg, Germany. arXiv version: June 2, 2018.
• SafeKeeper: Protecting Web Passwords using Trusted Execution Environments. K. Krawiecka, A. Kurnikov, A. Paverd, M. Mannan, N. Asokan. The Web Conference (WWW 2018), 23-27 Apr. 2018, Lyon, France. (WWW Poster, arXiv version: Apr. 23, 2018).
• Using SafeKeeper to Protect Web Passwords. A. Kurnikov, K. Krawiecka, A. Paverd, M. Mannan, N. Asokan. The Web Conference Companion (WWW 2018 Companion), 23-27 Apr. 2018, Lyon, France.
• Hypnoguard: Protecting Secrets across Sleep-wake Cycles. (© ACM) Extended version: Aug. 11, 2016. L. Zhao and M. Mannan. ACM Conference on Computer and Communications Security (CCS 2016), Oct. 24-28, 2016, Vienna, Austria.
  • Selected press (Daily Dot, Gizmodo, PC Magazine, CNN-News18, The Statesman)
• Deceptive Deletion Triggers under Coercion (Author version: July 28, 2016). DOI: 10.1109/TIFS.2016.2598523. L. Zhao and M. Mannan. IEEE Transactions on Information Forensics and Security (TIFS), 11(12): 2763-2776 (December 2016).
• Gracewipe: Secure and Verifiable Deletion under Coercion. L. Zhao and M. Mannan. Network and Distributed System Security Symposium (NDSS 2015), Feb. 8-11, 2015, San Diego, CA, USA.
• Unicorn: Two-Factor Attestation for Data Security. (Version: Aug. 11, 2011 © ACM). M. Mannan, B.H. Kim, A. Ganjali, D. Lie. ACM Conference on Computer and Communications Security (CCS 2011), Oct. 17-21, 2011, Chicago, IL, USA.
  • Seminar (David Lie): University of Texas, Austin, USA, Feb. 2, 2012 (Featured by The Daily Texan)
  • Workshop (David Lie): EaGL-SysNet, University at Buffalo, NY, USA, August 20, 2011
  • Seminar: TechnoTalks, Vanier College, Montreal, Canada, Sept. 21, 2011

Software/SSL Security

• The Sorry State of TLS Security in Enterprise Interception Appliances. (Author copy, July 11, 2019). L. Waked, M. Mannan, A. Youssef. ACM Digital Threats: Research and Practice (DTRAP) (accepted for publication, June 13, 2019).
• [Techreport] Privacy and Security Risks of "Not-a-Virus" Bundled Adware: The Wajam Case. X. de Carnavalet and M. Mannan. arXiv:1905.05224 (version: May 17, 2019).
  • Selected press (The Register, Le Figaro)
• [Techreport] The Sorry State of TLS Security in Enterprise Interception Appliances. L. Waked, M. Mannan, A. Youssef. arXiv:1809.08729 (version: Sept. 24, 2018).
• Another Look at TLS Ecosystems in Networked Devices vs. Web Servers. (Author copy, Sept. 30, 2018; Elsevier copy.) N. Samarasinghe and M. Mannan. Elsevier Computers & Security, volume 80, Jan. 2019.
• To Intercept or not to Intercept: Analyzing TLS Interception in Network Appliances. (© ACM). L. Waked, M. Mannan, A. Youssef. ACM Asia Conference on Computer and Communications Security (ASIACCS 2018), June 4-8, Songdo, Incheon, Korea.
• Short Paper: TLS Ecosystems in Networked Devices vs. Web Servers. (© Springer) Extended version: Mar. 17, 2017. N. Samarasinghe and M. Mannan. Financial Cryptography and Data Security 2017 (FC'17), Apr. 3-7, 2017, Malta.
• Killed by Proxy: Analyzing Client-end TLS Interception Software. X. de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS 2016), Feb. 21-24, 2016, San Diego, CA, USA.
  • Selected press (Daily Mail, The Register, La Presse, Daily Express)
• Challenges and Implications of Verifiable Builds for Security-Critical Open-Source Software. X. de Carnavalet and M. Mannan. Annual Computer Security Applications Conference (ACSAC'14), Dec. 8-12, 2014, New Orleans, Louisiana, USA.
  • Extended version.
  • Media coverage (on an earlier version): Slashdot (Oct 24, 2013) TheRegister.co.uk (Nov 6, 2013), TheRegister.co.uk (Nov 18, 2013), Threatpost.com (Apr 16, 2014).

Mobile Data Security and Privacy

• AppVeto: Mobile Application Self-Defense through Resource Access Veto. T. Osman, M. Mannan, U. Hengartner and A. Youssef. Annual Computer Security Applications Conference (ACSAC 2019), Dec 9-13, 2019, San Juan, Puerto Rico.
• On Understanding Permission Usage Contextuality in Android Apps. (Short paper, Version: May 31, 2018, © Springer/LNCS). Md Zakir Hossen and M. Mannan. IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2018), July 16-18, 2018, Bergamo, Italy.
• Mobiflage: Deniable Storage Encryption for Mobile Devices. (Pre-print version: Dec. 2, 2013, © IEEE). DOI: 10.1109/TDSC.2013.56. A. Skillen, M. Mannan. IEEE Transactions on Dependable and Secure Computing (TDSC), Special Issue on "Security and Privacy in Mobile Platforms", 11(3):224-237 (May/June), 2014.
• On Implementing Deniable Storage Encryption for Mobile Devices. (Version: December 3, 2012). A. Skillen and M. Mannan. Network and Distributed System Security Symposium (NDSS 2013), Feb. 24-27, 2013, San Diego, CA, USA.

Cloud/Email Security

• An Evaluation of Recent Secure Deduplication Proposals. (Pre-print version: Oct. 19, 2015, © Elsevier.) DOI: 10.1016/j.jisa.2015.08.001. V. Rabotka and M. Mannan. Elsevier Journal of Information Security and Applications (JISA), Special Issue on "Security and Privacy in Cloud Computing", volumes 27-28, pages 3-18 (April-May 2016).
• Peace vs. Privacy: Leveraging Conflicting Jurisdictions for Email Security. (Post-proceedings version: Nov. 3, 2015, © ACM.) M. Mannan, A. Shahkar, A. Saberi Pirouz and V. Rabotka. New Security Paradigms Workshop 2015 (NSPW'15), Twente, The Netherlands, Sept. 8-11, 2015.
• [Techreport] FriendlyMail: Confidential and Verified Emails among Friends . (Version: March 20, 2014). A. Saberi Pirouz, V. Rabotka, M. Mannan. Spectrum, Concordia University.
• Lightweight Client-side Methods for Detecting Email Forgery. (Version: July 23, 2012 © Springer). E. Lin, J. Aycock, and M. Mannan. Workshop on Information Security Applications (WISA2012), Aug. 16-18, 2012, Jeju Island, South Korea, LNCS Volume 7690, pp 254-269.

Authentication and Passwords

• On the Null Relationship between Personality Types and Passwords. Amit Maraj, Miguel Vargas Martin, Matthew Shane and M. Mannan. Conference on Privacy, Security and Trust (PST 2019), August 26-28, 2019. Fredericton, NB,Canada.
• A Large-Scale Evaluation of High-Impact Password Strength Meters. (Pre-print version: Feb. 27, 2015, © ACM.) ACM Author-Izer Copy. X. de Carnavalet and M. Mannan. ACM Transactions on Information and System Security (TISSEC), 18(1): 1-32 (May 2015).
  • Project website
  • Selected press (Slashdot, NetworkWorld, PCMag, CTVMontreal)
• From Very Weak to Very Strong: Analyzing Password-Strength Meters. X. de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS 2014), Feb. 23-26, 2014, San Diego, CA, USA.
  • Project website
  • Password checker tool
  • Extended version (Jan. 6, 2013)
• Explicit Authentication Response Considered Harmful. (Post-proceedings version: October 26, 2013). L. Zhao, M. Mannan. New Security Paradigms Workshop 2013 (NSPW'13), Banff, Canada, Sept. 9-12, 2013.
• [Techreport] Myphrase: Passwords from your Own Words. (Version: January 25, 2013). A. Skillen, M. Mannan. Spectrum, Concordia University.
• Passwords for Both Mobile and Desktop Computers: ObPwd for Firefox and Android. (Author copy, version: July 12, 2012). M. Mannan, P.C. van Oorschot. USENIX ;login: 37(4): 28-37 (Aug. 2012). Magazine version: main article, appendix.
• Revisiting Defenses Against Large-Scale Online Password Guessing Attacks. (Pre-print version: Nov. 1, 2011, © IEEE). DOI: 10.1109/TDSC.2011.24. M. Alsaleh, M. Mannan, P.C. van Oorschot. IEEE Transactions on Dependable and Secure Computing (TDSC), 9(1): 128-141 (Jan/Feb 2012).
• Mercury: Recovering Forgotten Passwords Using Personal Devices. (Pre-proceedings version: Dec. 17, 2010). Slides (pdf). Android prototype and server code. M. Mannan, D. Barrera, C. Brown, D. Lie, P.C. van Oorschot. Financial Cryptography and Data Security 2011 (FC'11), St. Lucia, Feb. 28 - Mar. 4 2011.
• User Study, Analysis, and Usable Security of Passwords Based on Digital Objects (Author version: Feb. 11, 2011). DOI: 10.1109/TIFS.2011.2116781. R. Biddle, M. Mannan, P.C. van Oorschot, T. Whalen. IEEE Transactions on Information Forensics and Security (TIFS), 6(3): 970-979 (Sept. 2011). Extended version in Technical Report TR-10-02, (version Feb.16, 2010), School of Computer Science, Carleton University.
  • Digital Objects as Passwords. (Version: July 14, 2008, © USENIX). Slides (pdf). Prototype download. M. Mannan, P.C. van Oorschot. USENIX Hot Topics in Security 2008 (HotSec'08), San Jose, California, USA, July 29, 2008.
  • Selected press
• Leveraging Personal Devices for Stronger Password Authentication from Untrusted Computers (Author version: August 12, 2010). DOI: 10.3233/JCS-2010-0412. M. Mannan, P.C. van Oorschot. Journal of Computer Security, 19(4): 703-750 (2011). Extends the FC'07 paper (see below).
• Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer. (Post-proceedings version: March 30, 2007, © IFCA). Slides (pdf). AVISPA test code. M. Mannan, P.C. van Oorschot. Financial Cryptography and Data Security 2007 (FC'07), Lowlands, Scarborough, Trinidad and Tobago, Feb.12-15 2007. Tech Report (Extended version: March 30, 2007).
• Authentication and Securing Personal Information in an Untrusted Internet. M. Mannan. Ph.D. thesis, Carleton University, April 2009.

Privacy/Data Breaches

• On Privacy Risks of Public WiFi Captive Portals. S. Ali, T. Osman, M. Mannan and A. Youssef. Workshop on Data Privacy Management (DPM, co-located with ESORICS 2019), September 26-27, 2019, Luxembourg. arXiv version: July 3, 2019.
• Towards a Global Perspective on Web Tracking. (Author copy, July 30, 2019; Elsevier copy.) N. Samarasinghe and M. Mannan. Elsevier Computers & Security, volume 87, Nov. 2019.
• Playing With Danger: A Taxonomy and Evaluation of Threats to Smart Toys. S. Shasha, M. Mahmoud, M. Mannan, A. Youssef. IEEE Internet of Things Journal, 6(2): 2986-3002 (April 2019). arXiv version: Oct. 25, 2018.
• Towards a Comprehensive Analytical Framework for Smart Toy Privacy Practices. (Version: Nov. 29, 2017, © ACM). M. Mahmoud, Md Zakir Hossen, H. Barakat, M. Mannan and A. Youssef. Socio-Technical Aspects in Security and Trust (workshop at ACSAC 2017), Dec. 5, 2017, Orlando, FL, USA (Best Paper Award).
• Localization of Credential Information to Address Increasingly Inevitable Data Breaches. (Version Nov. 1, 2008, © ACM ). Slides (pdf). M. Mannan, P.C. van Oorschot. New Security Paradigms Workshop 2008 (NSPW'08), Lake Tahoe, California, USA, Sept. 22-25, 2008. Tech Report (Version: July 18, 2008).
• Privacy-Enhanced Sharing of Personal Content on the Web. (Version: Feb. 24, 2008 © IW3C2). Slides (pdf). M. Mannan, P.C. van Oorschot. World Wide Web conference (WWW2008), Apr. 21-25, 2008, Beijing, China.

Online Banking/PIN Security

• Reducing Threats from Flawed Security APIs: The Banking PIN Case. (Authors' copy, version: March 31, 2009, © Elsevier). M. Mannan, P.C. van Oorschot. Elsevier Computers & Security, volume 28, issue 6, Sept. 2009. Extends the FC'08 short paper (see below).
• Weighing Down ``The Unbearable Lightness of PIN Cracking.'' (Short paper, post-proceedings version: March 10, 2008, © IFCA). M. Mannan, P.C. van Oorschot. Financial Cryptography and Data Security 2008 (FC'08), Jan. 28-31, 2008, Cozumel, Mexico.
  • Tech Report (Extended version: April 29, 2008)
  • Presentation slides (pdf) from Analysis of Security API workshop (ASA-2, co-located with CSF 2008)
• Security and Usability: The Gap in Real-World Online Banking. (Post-proceedings version: October 19, 2007). Slides (pdf). M. Mannan, P.C. van Oorschot. New Security Paradigms Workshop 2007 (NSPW'07), New Hampshire, USA, Sept.18-21 2007.
  • Selected press

Network Security

• Detection of Malicious Payload Distribution Channels in DNS . (Version: February 12, 2014, © IEEE). A. Mert Kara, H. Binsalleeh, M. Mannan, A. Youssef, M. Debbabi. Communications and Information Systems Security Symposium (CISS), IEEE International Conference on Communications 2014 (ICC'14), Sydney, Australia, June 10-14, 2014.

Instant Messaging Security

• A Protocol for Secure Public Instant Messaging. (Version: March 30, 2006, © IFCA). Slides (pdf). AVISPA test code. M. Mannan, P.C. van Oorschot. Financial Cryptography and Data Security 2006 (FC'06), Feb.27-Mar.2 2006, Anguilla, British West Indies. Proceedings: Springer LNCS 4107. The extended version of this paper is available as a Tech Report.
• On Instant Messaging Worms, Analysis and Countermeasures. Slides (pdf). M. Mannan, P.C. van Oorschot. Third Workshop on Rapid Malcode (WORM 2005), Fairfax, VA, USA, November 11, 2005. © Copyright 2005 by ACM, Inc.
• Secure Public Instant Messaging: A Survey. M. Mannan, P.C. van Oorschot. Second Annual Conference on Privacy, Security and Trust (PST), Fredericton, NB, pp 69-77, October 13-15, 2004. Slides (ppt).
• Secure Public Instant Messaging. M. Mannan, Master's thesis, Carleton University, August 2005.