Proceedings of the 33rd Annual Computer Security Applications Conference, Orlando, FL, USA, December 4-8, 2017. ACM 【DBLP Link】
【Paper Link】 【Pages】:1-15
【Authors】: Roel Peeters ; Jens Hermans ; Pieter Maene ; Katri Grenman ; Kimmo Halunen ; Juha Häikiö
【Abstract】: Weak security, excessive personal data collection for user profiling, and a poor user experience are just a few of the many problems that mobile authentication solutions suffer from. Despite being an interesting platform, mobile devices are still not being used to their full potential for authentication. n-Auth is a firm step in unlocking the full potential of mobile devices in authentication, by improving both security and usability whilst respecting the privacy of the user. Our focus is on the combined usage of several strong cryptographic techniques with secure HCI design principles to achieve a better user experience. We specified and built n-Auth, for which robust Android and iOS apps are openly available through the official stores.
【Keywords】:
【Paper Link】 【Pages】:16-27
【Authors】: Antonio Bianchi ; Eric Gustafson ; Yanick Fratantonio ; Christopher Kruegel ; Giovanni Vigna
【Abstract】: Today's mobile applications increasingly rely on communication with a remote backend service to perform many critical functions, including handling user-specific information. This implies that some form of authentication should be used to associate a user with their actions and data. Since schemes involving tedious account creation procedures can represent "friction" for users, many applications are moving toward alternative solutions, some of which, while increasing usability, sacrifice security. This paper focuses on a new trend of authentication schemes based on what we call "device-public" information, which consists of properties and data that any application running on a device can obtain. While these schemes are convenient to users, since they require little to no interaction, they are vulnerable by design, since all the needed information to authenticate a user is available to any app installed on the device. An attacker with a malicious app on a user's device could easily hijack the user's account, steal private information, send (and receive) messages on behalf of the user, or steal valuable virtual goods. To demonstrate how easily these vulnerabilities can be weaponized, we developed a generic exploitation technique that first mines all relevant data from a victim's phone, and then transfers and injects them into an attacker's phone to fool apps into granting access to the victim's account. Moreover, we developed a dynamic analysis detection system to automatically highlight problematic apps. Using our tool, we analyzed 1,000 popular applications and found that 41 of them, including the popular messaging apps WhatsApp and Viber, were vulnerable. Finally, our work proposes solutions to this issue, based on modifications to the Android API.
【Keywords】: authentication; mobile-security; vulnerability
【Paper Link】 【Pages】:28-41
【Authors】: Mozhgan Azimpourkivi ; Umut Topkara ; Bogdan Carbunar
【Abstract】: Biometrics are widely used for authentication in consumer devices and business settings as they provide sufficiently strong security instant verification and convenience for users. However, biometrics are hard to keep secret, stolen biometrics pose lifelong security risks to users as they cannot be reset and re-issued, and transactions authenticated by biometrics across different systems are linkable and traceable back to the individual identity. In addition, their cost-benefit analysis does not include personal implications to users, who are least prepared for the imminent negative outcomes, and are not often given equally convenient alternative authentication options. We introduce ai.lock, a secret image based authentication method for mobile devices which uses an imaging sensor to reliably extract authentication credentials similar to biometrics. Despite lacking the regularities of biometric image features, we show that ai.lock consistently extracts features across authentication attempts from general user captured images, to reconstruct credentials that can match and exceed the security of biometrics (EER = 0.71%). ai.lock only stores a "hash" of the object's image. We measure the security of ai.lock against brute force attacks on more than 3.5 billion authentication instances built from more than 250,000 images of real objects, and 100,000 synthetically generated images using a generative adversarial network trained on object images. We show that the ai.lock Shannon entropy is superior to a fingerprint based authentication built into popular mobile devices.
【Keywords】: Deep learning; Locality sensitive hashing; Mobile and wearable device authentication; Multi-factor authentication
【Paper Link】 【Pages】:42-54
【Authors】: Hua Yan ; Yulei Sui ; Shiping Chen ; Jingling Xue
【Abstract】: Typestate analysis relies on pointer analysis for detecting temporal memory safety errors, such as use-after-free (UAF). For large programs, scalable pointer analysis is usually imprecise in analyzing their hard "corner cases", such as infeasible paths, recursion cycles, loops, arrays, and linked lists. Due to a sound over-approximation of the points-to information, a large number of spurious aliases will be reported conservatively, causing the corresponding typestate analysis to report a large number of false alarms. Thus, the usefulness of typestate analysis for heap-intensive clients, like UAF detection, becomes rather limited, in practice. We introduce Tac, a static UAF detector that bridges the gap between typestate and pointer analyses by machine learning. Tac learns the correlations between program features and UAF-related aliases by using a Support Vector Machine (SVM) and applies this knowledge to further disambiguate the UAF-related aliases reported imprecisely by the pointer analysis so that only the ones validated by its SVM classifier are further investigated by the typestate analysis. Despite its unsoundness, Tac represents a practical typestate analysis approach for UAF detection. We have implemented Tac in LLVM-3.8.0 and evaluated it using a set of eight open-source C/C++ programs. The results show that Tac is effective (in terms of finding 5 known CVE vulnerabilities, 1 known bug, and 8 new bugs with a low false alarm rate) and scalable (in terms of analyzing a large codebase with 2,098 KLOC in just over 4 hours).
【Keywords】: machine learning; static analysis; use-after-free; vulnerability detection
【Paper Link】 【Pages】:55-67
【Authors】: Jannik Pewny ; Philipp Koppe ; Lucas Davi ; Thorsten Holz
【Abstract】: Just-in-time return-oriented programming (JIT-ROP) is a powerful memory corruption attack that bypasses various forms of code randomization. Execute-only memory (XOM) can potentially prevent these attacks, but requires source code. In contrast, destructive code reads (DCR) provide a trade-off between security and legacy compatibility. The common belief is that DCR provides strong protection if combined with a high-entropy code randomization. The contribution of this paper is twofold: first, we demonstrate that DCR can be bypassed regardless of the underlying code randomization scheme. To this end, we show novel, generic attacks that infer the code layout for highly randomized program code. Second, we present the design and implementation of BGDX (Byte-Granular DCR and XOM), a novel mitigation technique that protects legacy binaries against code inference attacks. BGDX enforces memory permissions on a byte-granular level allowing us to combine DCR and XOM for legacy, off-the-shelf binaries. Our evaluation shows that BGDX is not only effective, but highly efficient, imposing only a geometric mean performance overhead of 3.95 % on SPEC.
【Keywords】: Code-Reuse Attacks and Defenses; Destructive Code Reads; Execute-only Memory
【Paper Link】 【Pages】:68-78
【Authors】: Richard Skowyra ; Steven R. Gomez ; David Bigelow ; James Landry ; Hamed Okhravi
【Abstract】: Computer security has long been an arms race between attacks and defenses. While new defenses are proposed and built to stop specific vectors of attacks, novel, sophisticated attacks are devised by attackers to bypass them. This rapid cycle of defenses and attacks has made it difficult to strategically reason about the protection offered by each defensive technique, the coverage of a set of defenses, and possible new vectors of attack for which to design future defenses. In this work, we present QUASAR, a framework that systematically analyzes attacks and defenses at the granularity of the capabilities necessary to mount the attacks. We build a model of attacks in the memory corruption domain, and represent various prominent defenses in this domain. We demonstrate that QUASAR can be used to compare defenses at a fundamental level (what they do instead of how they do it), reason about the coverage of a defensive configuration, and hypothesize about possible new attack strategies. We show that of the top five hypothesized new attack strategies, in fact, four have been published in security venues over the past two years. We investigate the fifth hypothesized vector ourselves and demonstrate that it is, in fact, a viable vector of attack.
【Keywords】:
【Paper Link】 【Pages】:79-90
【Authors】: Jianyu Jiang ; Shixiong Zhao ; Danish Alsayed ; Yuexuan Wang ; Heming Cui ; Feng Liang ; Zhaoquan Gu
【Abstract】: Big-data frameworks (e.g., Spark) enable computations on tremendous data records generated by third parties, causing various security and reliability problems such as information leakage and programming bugs. Existing systems for big-data security (e.g., Titian) track data transformations in a record level, so they are imprecise and too coarse-grained for these problems. For instance, when we ran Titian to drill down input records that produced a buggy output record, Titian reported 3 to 9 orders of magnitude more input records than the actual ones. Information Flow Tracking (IFT) is a conventional approach for precise information control. However, extant IFT systems are neither efficient nor complete for big-data frameworks, because theses frameworks are data-intensive, and data flowing across hosts is often ignored by IFT. This paper presents Kakute, the first precise, fine-grained information flow analysis system for big-data. Our insight on making IFT efficient is that most fields in a data record often have the same IFT tags, and we present two new efficient techniques called Reference Propagation and Tag Sharing. In addition, we design an efficient, complete cross-host information flow propagation approach. Evaluation on seven diverse big-data programs (e.g., WordCount) shows that Kakute had merely 32.3% overhead on average even when fine-grained information control was enabled. Compared with Titian, Kakute precisely drilled down the actual bug inducing input records, a huge reduction of 3 to 9 orders of magnitude. Kakute's performance overhead is comparable with Titian. Furthermore, Kakute effectively detected 13 real-world security and reliability bugs in 4 diverse problems, including information leakage, data provenance, programming and performance bugs. Kakute's source code and results are available on https://github.com/hku-systems/kakute.
【Keywords】: Big-data; Data-intensive Scalable Computing System; Information Flow Tracking
【Paper Link】 【Pages】:91-102
【Authors】: Gianluca Stringhini ; Yun Shen ; Yufei Han ; Xiangliang Zhang
【Abstract】: Effective malware detection approaches need not only high accuracy, but also need to be robust to changes in the modus operandi of criminals. In this paper, we propose Marmite, a feature-agnostic system that aims at propagating known malicious reputation of certain files to unknown ones with the goal of detecting malware. Marmite does this by looking at a graph that encapsulates a comprehensive view of how files are downloaded (by which hosts and from which servers) on a global scale. The reputation of files is then propagated across the graph using semi-supervised label propagation with Bayesian confidence. We show that Marmite is able to reach high accuracy (0.94 G-mean on average) over a 10-day dataset of 200 million download events. We also demonstrate that Marmite's detection capabilities do not significantly degrade over time, by testing our system on a 30-day dataset of 660 million download events collected six months after the system was tuned and validated. Marmite still maintains a similar accuracy after this period of time.
【Keywords】:
【Paper Link】 【Pages】:103-115
【Authors】: Ghaith Husari ; Ehab Al-Shaer ; Mohiuddin Ahmed ; Bill Chu ; Xi Niu
【Abstract】: With the rapid growth of the cyber attacks, sharing of cyber threat intelligence (CTI) becomes essential to identify and respond to cyber attack in timely and cost-effective manner. However, with the lack of standard languages and automated analytics of cyber threat information, analyzing complex and unstructured text of CTI reports is extremely time- and labor-consuming. Without addressing this challenge, CTI sharing will be highly impractical, and attack uncertainty and time-to-defend will continue to increase. Considering the high volume and speed of CTI sharing, our aim in this paper is to develop automated and context-aware analytics of cyber threat intelligence to accurately learn attack pattern (TTPs) from commonly available CTI sources in order to timely implement cyber defense actions. Our paper has three key contributions. First, it presents a novel threat-action ontology that is sufficiently rich to understand the specifications and context of malicious actions. Second, we developed a novel text mining approach that combines enhanced techniques of Natural Language Processing (NLP) and Information retrieval (IR) to extract threat actions based on semantic (rather than syntactic) relationship. Third, our CTI analysis can construct a complete attack pattern by mapping each threat action to the appropriate techniques, tactics and kill chain phases, and translating it any threat sharing standards, such as STIX 2.1. Our CTI analytic techniques were implemented in a tool, called TTPDrill, and evaluated using a randomly selected set of Symantec Threat Reports. Our evaluation tests show that TTPDrill achieves more than 82% of precision and recall in a variety of measures, very reasonable for this problem domain.
【Keywords】:
【Paper Link】 【Pages】:116-127
【Authors】: Anh Quach ; Matthew Cole ; Aravind Prakash
【Abstract】: The perpetual cat-and-mouse game between attackers and software defenders has highlighted the need for strong and robust security. With performance as a key concern, most modern defenses focus on control-flow integrity (CFI), a program property that requires runtime execution of a program to adhere to a statically determined control-flow graph (CFG). Despite its success in preventing traditional return-oriented programming (ROP), CFI is known to be ineffective against modern attacks that adhere to a statically recovered CFG (e.g., COOP). This paper introduces stack-pointer integrity (SPI) as a means to supplement CFI and other modern defense techniques. Due to its ability to influence indirect control targets, stack pointer is a key artifact in attacks. We define SPI as a property comprising of two key sub-properties - Stack Localization and Stack Conservation - and implement a LLVM-based compiler prototype codenamed SPIglass that enforces SPI. We demonstrate a low implementation overhead and incremental deployability, two of the most desirable features for practical deployment. Our performance experiments show that the overhead of our defense is low in practice. We opensource SPIglass for the benefit of the community.
【Keywords】:
【Paper Link】 【Pages】:128-140
【Authors】: Mingwei Zhang ; Michalis Polychronakis ; R. Sekar
【Abstract】: Code diversification, combined with execute-only memory, provides an effective defense against just-in-time code reuse attacks. However, existing techniques for combining code diversification and hardware-assisted memory protections typically require compiler support, as well as the deployment or modification of a hypervisor. These requirements often cannot be met, either because source code is not available, or because the required hardware features may not be available on the target system. In this paper we present SECRET, a software hardening technique tailored to legacy and closed-source software that provides equivalent protection to execute-only memory without relying on hardware features or recompilation. This is achieved using two novel techniques, code space isolation and code pointer remapping, which prevent read accesses to the executable memory of the protected code. Furthermore, SECRET thwarts code pointer harvesting attacks on ELF files by remapping existing code pointers to use random values. SECRET has been implemented on 32-bit Linux systems. Our evaluation shows that it introduces just 2% additional runtime overhead on top of a state-of-the-art CFI implementation, bringing the total average overhead to about 16%. In addition, it achieves better protection coverage compared to compiler-based techniques, as it can handle low-level machine code such as inline assembly or extra code introduced by the linker and loader.
【Keywords】:
【Paper Link】 【Pages】:141-153
【Authors】: Christopher Salls ; Yan Shoshitaishvili ; Nick Stephens ; Christopher Kruegel ; Giovanni Vigna
【Abstract】: While software is now being developed with more sophisticated tools, its complexity has increased considerably, and, as a consequence new vulnerabilities are discovered every day. To address the constant flow of vulnerabilities being identified, patches are frequently being pushed to consumers. Patches, however, often involve having to shutdown services in order to be applied, which can result in expensive downtime. To solve this problem, various hot-patching systems have been devised to patch systems without the need for restarting. These systems often require either the cooperation of the system or the process they are patching. This still leaves out a considerable amount of systems, most notably embedded devices, which remain unable to be hot-patched. We present Piston, a generic system for the remote hot-patching of uninterruptible software that operates without the system's cooperation. Piston achieves this by using an exploit to take control of the remote process and modify its code on-the-fly. Piston works directly on binary code and is capable of automatically counter-acting the destructive effects on memory that might be the result of the exploitation.
【Keywords】:
【Paper Link】 【Pages】:154-161
【Authors】: Reda Bellafqira ; Gouenou Coatrieux ; Dalel Bouslimi ; Gwénolé Quellec ; Michel Cozic
【Abstract】: In this paper, we propose an homomorphic proxy re-encryption scheme (HPRE) that allows different users to share data they outsourced homomorphically encrypted using their respective public keys with the possibility by next to process such data remotely. Its originality stands on a solution we propose so as to compute the difference of data encrypted with Damgard-Jurik cryptosystem. It takes also advantage of a secure combined linear congruential generator that we implemented in the Damgard-Jurik encrypted domain. Basically, in our HPRE scheme, the two users, the delegator and the delegate, ask the cloud server to generate an encrypted noise based on a secret key, both users previously agreed on. Based on our solution to compute the difference in Damgard-Jurik encrypted domain, the cloud computes in clear the differences in-between the encrypted noise and the encrypted data of the delegator, obtaining thus blinded data. In order the delegate gets access to the data, the cloud just has to encrypt these differences using the delegate's public key and then removes the noise. This solution doesn't need extra communication between the cloud and the delegator. Our HPRE was implemented in the case of the sharing of uncompressed images stored in the cloud showing good time computation performance, it is unidirectional and collusion-resistant. Nevertheless, it is not limited to images and can be used with any kinds of data.
【Keywords】: Homomorphic proxy re-encryption; Processing of encrypted data; Security confidentiality
【Paper Link】 【Pages】:162-175
【Authors】: Matús Nemec ; Dusan Klinec ; Petr Svenda ; Peter Sekan ; Vashek Matyas
【Abstract】: We measure the popularity of cryptographic libraries in large datasets of RSA public keys. We do so by improving a recently proposed method based on biases introduced by alternative implementations of prime selection in different cryptographic libraries. We extend the previous work by applying statistical inference to approximate a share of libraries matching an observed distribution of RSA keys in an inspected dataset (e.g., Internet-wide scan of TLS handshakes). The sensitivity of our method is sufficient to detect transient events such as a periodic insertion of keys from a specific library into Certificate Transparency logs and inconsistencies in archived datasets. We apply the method on keys from multiple Internet-wide scans collected in years 2010 through 2017, on Certificate Transparency logs and on separate datasets for PGP keys and SSH keys. The results quantify a strong dominance of OpenSSL with more than 84% TLS keys for Alexa 1M domains, steadily increasing since the first measurement. OpenSSL is even more popular for GitHub client-side SSH keys, with a share larger than 96%. Surprisingly, new certificates inserted in Certificate Transparency logs on certain days contain more than 20% keys most likely originating from Java libraries, while TLS scans contain less than 5% of such keys. Since the ground truth is not known, we compared our measurements with other estimates and simulated different scenarios to evaluate the accuracy of our method. To our best knowledge, this is the first accurate measurement of the popularity of cryptographic libraries not based on proxy information like web server fingerprinting, but directly on the number of observed unique keys.
【Keywords】: RSA algorithm; cryptographic library; prime generation
【Paper Link】 【Pages】:176-188
【Authors】: Chris McMahon Stone ; Tom Chothia ; Flavio D. Garcia
【Abstract】: Certificate verification is a crucial stage in the establishment of a TLS connection. A common security flaw in TLS implementations is the lack of certificate hostname verification but, in general, this is easy to detect. In security-sensitive applications, the usage of certificate pinning is on the rise. This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks. Dynamic (black-box) detection of this vulnerability would typically require the tester to own a high security certificate from the same issuer (and often same intermediate CA) as the one used by the app. We present Spinner, a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether the hostname check is correctly done, even in the presence of certificate pinning. We use Spinner to analyse 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable. These apps have a joint user base of tens of millions of users.
【Keywords】:
【Paper Link】 【Pages】:189-199
【Authors】: Shang-Tse Chen ; Yufei Han ; Duen Horng Chau ; Christopher S. Gates ; Michael Hart ; Kevin A. Roundy
【Abstract】: Cybersecurity analysts are often presented suspicious machine activity that does not conclusively indicate compromise, resulting in undetected incidents or costly investigations into the most appropriate remediation actions. There are many reasons for this: deficiencies in the number and quality of security products that are deployed, poor configuration of those security products, and incomplete reporting of product-security telemetry. Managed Security Service Providers (MSSP's), which are tasked with detecting security incidents on behalf of multiple customers, are confronted with these data quality issues, but also possess a wealth of cross-product security data that enables innovative solutions. We use MSSP data to develop Virtual Product, which addresses the aforementioned data challenges by predicting what security events would have been triggered by a security product if it had been present. This benefits the analysts by providing more context into existing security incidents (albeit probabilistic) and by making questionable security incidents more conclusive. We achieve up to 99% AUC in predicting the incidents that some products would have detected had they been present.
【Keywords】: Virtual Product; semi-supervised matrix factorization
【Paper Link】 【Pages】:200-211
【Authors】: Kevin A. Roundy ; Acar Tamersoy ; Michael Spertus ; Michael Hart ; Daniel Kats ; Matteo Dell'Amico ; Robert Scott
【Abstract】: The central task of a Security Incident and Event Manager (SIEM) or Managed Security Service Provider (MSSP) is to detect security incidents on the basis of tens of thousands of event types coming from many kinds of security products. We present Smoke Detector, which processes trillions of security events with the Random Walk with Restart (RWR) algorithm, inferring high order relationships between known security incidents and imperfect secondary security events (smoke) to find undiscovered security incidents (fire). By finding previously undetected incidents, Smoke Detector's RWR algorithm is able to increase the MSSP's critical incident count by 19% with a 1.3% FP rate. Perhaps equally importantly, our approach offers significant benefits beyond increased incident detection: (1) It provides a robust approach for leveraging Big Data sensor nets to increase adversarial resistance of protected networks; (2) Our event-scoring techniques enable efficient discovery of primary indicators of compromise; (3) Our confidence scores provide intuition and tuning capabilities for Smoke Detector's discovered security incidents, aiding incident display and response.
【Keywords】:
【Paper Link】 【Pages】:212-224
【Authors】: Jake Weidman ; Jens Grossklags
【Abstract】: The continued acceptance of enhanced security technologies in the private sector, such as two-factor authentication, has prompted significant changes of organizational security practices. While past work has focused on understanding how users in consumer settings react to enhanced security measures for banking, email, and more, little work has been done to explore how these technological transitions and applications occur within organizational settings. Moreover, while many corporations have invested significantly to secure their networks for the sake of protecting valuable intellectual property, academic institutions, which also create troves of intellectual property, have fallen behind in this endeavor. In this paper, we detail a transition from a token-based, two-factor authentication system within an academic institution to an entirely digital system utilizing employee-owned mobile devices. To accomplish this, we first conducted discussions with staff from the Information Security Office to understand the administrative perspective of the transition. Second, our key contribution is the analysis of an in-depth survey to explore the perceived benefits and usability of the novel technological requirements from the employee perspective. In particular, we investigate the implications of the new authentication system based on employee acceptance or opposition to the mandated technological transition, with a specific focus on the utilization of personal devices for workplace authentication.
【Keywords】: 2FA; BYOD; Bring-your-own-device; Security in organizations; Survey study; Two-factor authentication
【Paper Link】 【Pages】:225-237
【Authors】: Jo Van Bulck ; Jan Tobias Mühlberg ; Frank Piessens
【Abstract】: Vehicular communication networks have been subject to a growing number of attacks that put the safety of passengers at risk. This resulted in millions of vehicles being recalled and lawsuits against car manufacturers. While recent standardization efforts address security, no practical solutions are implemented in current cars. This paper presents VulCAN, a generic design for efficient vehicle message authentication, plus software component attestation and isolation using lightweight trusted computing technology. Specifically, we advance the state-of-the-art by not only protecting against network attackers, but also against substantially stronger adversaries capable of arbitrary code execution on participating electronic control units. We demonstrate the feasibility and practicality of VulCAN by implementing and evaluating two previously proposed, industry standard-compliant message authentication protocols on top of Sancus, an open-source embedded protected module architecture. Our results are promising, showing that strong, hardware-enforced security guarantees can be met with a minimal trusted computing base without violating real-time deadlines under benign conditions.
【Keywords】: Automotive security; CAN; Protected module; Trusted computing
【Paper Link】 【Pages】:238-249
【Authors】: Jun Young Kim ; Ralph Holz ; Wen Hu ; Sanjay Jha
【Abstract】: Formal security analysis has proven to be a useful tool for tracking modifications in communication protocols in an automated manner, where full security analysis of revisions requires minimum efforts. In this paper, we formally analysed prominent IoT protocols and uncovered many critical challenges in practical IoT settings. We address these challenges by using formal symbolic modelling of such protocols under various adversaries and security goals. Furthermore, this paper extends formal analysis to cryptographic Denial-of-Service (DoS) attacks and demonstrates that a vast majority of IoT protocols are vulnerable to such resource exhaustion attacks. We present a cryptographic DoS attack countermeasure that can be generally used in many IoT protocols. Our study of prominent IoT protocols such as CoAP and MQTT shows the benefits of our approach.
【Keywords】:
【Paper Link】 【Pages】:250-261
【Authors】: Ivo Sluganovic ; Matej Serbec ; Ante Derek ; Ivan Martinovic
【Abstract】: Augmented Reality (AR) devices continuously scan their environment in order to naturally overlay virtual objects onto user's view of the physical world. In contrast to Virtual Reality, where one's environment is fully replaced with a virtual one, one of AR's "killer features" is co-located collaboration, in which multiple users interact with the same combination of virtual and real objects. Microsoft recently released HoloLens, the first consumer-ready augmented reality headset that needs no outside markers to achieve precise inside-out spatial mapping, which allows centimeter-scale hologram positioning. However, despite many applications published on the Windows Mixed Reality platform that rely on direct communication between AR devices, there currently exists no implementation or achievable proposal for secure direct pairing of two unassociated headsets. As augmented reality gets into mainstream, this omission exposes current and future users to a range of avoidable attacks. In order to close this real-world gap in both theory and engineering practice, in this paper we design and evaluate HoloPair, a system for secure and usable pairing of two AR headsets. We propose a pairing protocol and build a working prototype to experimentally evaluate its security guarantees, usability, and system performance. By running a user study with a total of 22 participants, we show that the system achieves high rates of attack detection, short pairing times, and a high average usability score. Moreover, in order to make an immediate impact on the wider developer community, we have published the full implementation and source code of our prototype, which is currently under consideration to be included in the official HoloLens development toolkit.
【Keywords】:
【Paper Link】 【Pages】:262-277
【Authors】: Uyeong Jang ; Xi Wu ; Somesh Jha
【Abstract】: Fueled by massive amounts of data, models produced by machine-learning (ML) algorithms are being used in diverse domains where security is a concern, such as, automotive systems, finance, health-care, computer vision, speech recognition, natural-language processing, and malware detection. Of particular concern is use of ML in cyberphysical systems, such as driver-less cars and aviation, where the presence of an adversary can cause serious consequences. In this paper we focus on attacks caused by adversarial samples, which are inputs crafted by adding small, often imperceptible, perturbations to force a ML model to misclassify. We present a simple gradient-descent based algorithm for finding adversarial samples, which performs well in comparison to existing algorithms. The second issue that this paper tackles is that of metrics. We present a novel metric based on few computer-vision algorithms for measuring the quality of adversarial samples.
【Keywords】: Adversarial Examples; Machine Learning
【Paper Link】 【Pages】:278-287
【Authors】: Xiaoyu Cao ; Neil Zhenqiang Gong
【Abstract】: Deep neural networks (DNNs) have transformed several artificial intelligence research areas including computer vision, speech recognition, and natural language processing. However, recent studies demonstrated that DNNs are vulnerable to adversarial manipulations at testing time. Specifically, suppose we have a testing example, whose label can be correctly predicted by a DNN classifier. An attacker can add a small carefully crafted noise to the testing example such that the DNN classifier predicts an incorrect label, where the crafted testing example is called adversarial example. Such attacks are called evasion attacks. Evasion attacks are one of the biggest challenges for deploying DNNs in safety and security critical applications such as self-driving cars. In this work, we develop new DNNs that are robust to state-of-the-art evasion attacks. Our key observation is that adversarial examples are close to the classification boundary. Therefore, we propose region-based classification to be robust to adversarial examples. Specifically, for a benign/adversarial testing example, we ensemble information in a hypercube centered at the example to predict its label. In contrast, traditional classifiers are point-based classification, i.e., given a testing example, the classifier predicts its label based on the testing example alone. Our evaluation results on MNIST and CIFAR-10 datasets demonstrate that our region-based classification can significantly mitigate evasion attacks without sacrificing classification accuracy on benign examples. Specifically, our region-based classification achieves the same classification accuracy on testing benign examples as point-based classification, but our region-based classification is significantly more robust than point-based classification to state-of-the-art evasion attacks.
【Keywords】: adversarial machine learning; evasion attacks; region-based classification
【Paper Link】 【Pages】:288-302
【Authors】: Wei Yang ; Deguang Kong ; Tao Xie ; Carl A. Gunter
【Abstract】: Existing techniques on adversarial malware generation employ feature mutations based on feature vectors extracted from malware. However, most (if not all) of these techniques suffer from a common limitation: feasibility of these attacks is unknown. The synthesized mutations may break the inherent constraints posed by code structures of the malware, causing either crashes or malfunctioning of malicious payloads. To address the limitation, we present Malware Recomposition Variation (MRV), an approach that conducts semantic analysis of existing malware to systematically construct new malware variants for malware detectors to test and strengthen their detection signatures/models. In particular, we use two variation strategies (i.e., malware evolution attack and malware confusion attack) following structures of existing malware to enhance feasibility of the attacks. Upon the given malware, we conduct semantic-feature mutation analysis and phylogenetic analysis to synthesize mutation strategies. Based on these strategies, we perform program transplantation to automatically mutate malware bytecode to generate new malware variants. We evaluate our MRV approach on actual malware variants, and our empirical evaluation on 1,935 Android benign apps and 1,917 malware shows that MRV produces malware variants that can have high likelihood to evade detection while still retaining their malicious behaviors. We also propose and evaluate three defense mechanisms to counter MRV.
【Keywords】: Adversarial classification; Malware detection
【Paper Link】 【Pages】:303-314
【Authors】: Adrian Dabrowski ; Johanna Ullrich ; Edgar R. Weippl
【Abstract】: Electric power grids are among the largest human-made control structures and are considered as critical infrastructure due to their importance for daily life. When operating a power grid, providers have to continuously maintain a balance between supply (i.e., production in power plants) and demand (i.e., power consumption) to keep the power grid's nominal frequency of 50 Hz or alternatively 60 Hz. Power consumption is forecast by elaborated models including multiple parameters like weather, season, and time of the day; they are based on the premise of many small consumers averaging out their energy consumption spikes. In this paper, we develop attacks violating this assumption, investigate their impact on power grid operation, and assess their feasibility for today's adversaries. In our scenario, an adversary builds (or rents) a botnet of zombie computers and modulates their power consumption, e.g., by utilizing CPU, GPU, hard disks, screen brightness, and laser printers in a coordinated way over the Internet. Outperforming the grid's countervailing mechanisms in time, the grid is pushed into unstable states triggering automated load shedding or tie-line tripping. We show that an adversary does not have to rely on smart grid features to modulate power consumption given that an adequate communication infrastructure for striking the (legacy) power grid is currently nearly omnipresent: the Internet to whom more and more power-consuming devices are connected. Our simulations estimate that between 2.5 and 9.8 million infections are sufficient to attack the European synchronous grid -- depending on the mix of infected devices, the current mix of active power plant types, and the current overall produced power. However, the herein described attack mechanisms are not limited to the European grid.
【Keywords】:
【Paper Link】 【Pages】:315-326
【Authors】: Long Cheng ; Ke Tian ; Danfeng (Daphne) Yao
【Abstract】: Recent studies have revealed that control programs running on embedded devices suffer from both control-oriented attacks (e.g., code-injection or code-reuse attacks) and data-oriented attacks (e.g., non-control data attacks). Unfortunately, existing detection mechanisms are insufficient to detect runtime data-oriented exploits, due to the lack of runtime execution semantics checking. In this work, we propose Orpheus, a security methodology for defending against data-oriented attacks by enforcing cyber-physical execution semantics. We address several challenges in reasoning cyber-physical execution semantics of a control program, including the event identification and dependence analysis. As an instantiation of Orpheus, we present a new program behavior model, i.e., the event-aware finite-state automaton (eFSA). eFSA takes advantage of the event-driven nature of control programs and incorporates event checking in anomaly detection. It detects data-oriented exploits if physical events and eFSA's state transitions are inconsistent. We evaluate our prototype's performance by conducting case studies under data-oriented attacks. Results show that eFSA can successfully detect different runtime attacks. Our prototype on Raspberry Pi incurs a low overhead, taking 0.0001s for each state transition integrity checking, and 0.063s~0.211s for the cyber-physical contextual consistency checking.
【Keywords】: Anomaly detection; Control programs; Cyber-physical systems; Data-oriented attacks; Event awareness; Execution semantics
【Paper Link】 【Pages】:327-338
【Authors】: Richard J. Thomas ; Mihai Ordean ; Tom Chothia ; Joeri de Ruiter
【Abstract】: This paper presents a new Key Management and Distribution Scheme for use in the European Rail Traffic Management System (ERTMS). Its aim is to simplify key management and improve cross-border operations through hierarchical partitioning. The current scheme used in ERTMS involves the creation and distribution of 3DES keys to train and trackside entities, which are then used as part of the Euro Radio Protocol to provide message authentication. This results in the distribution of tens of thousands of keys using portable media, a prohibitively high burden on management and resourcing. We present a symmetric key solution, TRAKS, which has the benefit of being backwards compatible with the current ERTMS standard and being post-quantum secure. This new scheme reduces the number of cryptographic keys in circulation, and maintains the current security model. We achieve this by dynamically deriving unique keys from a shared secret, i.e. the line secret, which is combined with IDs of trains, and of signalling equipment. In addition to providing better key management, our scheme also adds authentication to the location data provided by EuroBalises.
【Keywords】:
【Paper Link】 【Pages】:339-349
【Authors】: Le Guan ; Shijie Jia ; Bo Chen ; Fengwei Zhang ; Bo Luo ; Jingqiang Lin ; Peng Liu ; Xinyu Xing ; Luning Xia
【Abstract】: The increasing growth of cybercrimes targeting mobile devices urges an efficient malware analysis platform. With the emergence of evasive malware, which is capable of detecting that it is being analyzed in virtualized environments, bare-metal analysis has become the definitive resort. Existing works mainly focus on extracting the malicious behaviors exposed during bare-metal analysis. However, after malware analysis, it is equally important to quickly restore the system to a clean state to examine the next sample. Unfortunately, state-of-the-art solutions on mobile platforms can only restore the disk, and require a time-consuming system reboot. In addition, all of the existing works require some in-guest components to assist the restoration. Therefore, a kernel-level malware is still able to detect the presence of the in-guest components. We propose Bolt, a transparent restoration mechanism for bare-metal analysis on mobile platform without rebooting. Bolt achieves a reboot-less restoration by simultaneously making a snapshot for both the physical memory and the disk. Memory snapshot is enabled by an isolated operating system (BoltOS) in the ARM TrustZone secure world, and disk snapshot is accomplished by a piece of customized firmware (BoltFTL) for flash-based block devices. Because both the BoltOS and the BoltFTL are isolated from the guest system, even kernel-level malware cannot interfere with the restoration. More importantly, Bolt does not require any modifications into the guest system. As such, Bolt is the first that simultaneously achieves efficiency, isolation, and stealthiness to recover from infection due to malware execution. We have implemented a Bolt prototype working with the Android OS. Experimental results show that Bolt can restore the guest system to a clean state in only 2.80 seconds.
【Keywords】: Bare-metal Analysis; Evasive Malware; Flash-based Block Device; Snapshot
【Paper Link】 【Pages】:350-361
【Authors】: Xiaolei Wang ; Sencun Zhu ; Dehua Zhou ; Yuexiang Yang
【Abstract】: While many test input generation techniques have been proposed to improve the code coverage of dynamic analysis, they are still inefficient in triggering hidden malicious behaviors protected by anti-analysis techniques. In this work, we design and implement Droid-AntiRM, a new approach seeking to tame anti-analysis automatically and improve automated dynamic analysis. Our approach leverages three key observations: 1) Logic-bomb based anti-analysis techniques control the execution of certain malicious behaviors; 2) Anti-analysis techniques are normally implemented through condition statements; 3) Anti-analysis techniques normally have no dependence on program inputs. Based on these observations, Droid-AntiRM uses various techniques to detect anti-analysis in malware samples, and rewrite the condition statements in anti-analysis cases through bytecode instrumentation, thus forcing the hidden behavior to be executed at runtime. Through a study of 3187 malware samples, we find that 32.50% of them employ various anti-analysis techniques. Our experiments demonstrate that Droid-AntiRM can identify anti-analysis instances from 30 malware samples with a true positive rate of 89.15% and zero false negative. By taming the identified anti-analysis, Droid-AntiRM can greatly improve the automated dynamic analysis, successfully triggering 44 additional hidden malicious behaviors from the 30 samples. Further performance evaluation shows that Droid-AntiRM has good efficiency to perform large-scale analysis.
【Keywords】: Android Malware; Anti-Analysis; Dynamic Analysis; Symbolic Data Flow Analysis
【Paper Link】 【Pages】:362-372
【Authors】: Lingwei Chen ; Shifu Hou ; Yanfang Ye
【Abstract】: With smart phones being indispensable in people's everyday life, Android malware has posed serious threats to their security, making its detection of utmost concern. To protect legitimate users from the evolving Android malware attacks, machine learning-based systems have been successfully deployed and offer unparalleled flexibility in automatic Android malware detection. In these systems, based on different feature representations, various kinds of classifiers are constructed to detect Android malware. Unfortunately, as classifiers become more widely deployed, the incentive for defeating them increases. In this paper, we explore the security of machine learning in Android malware detection on the basis of a learning-based classifier with the input of a set of features extracted from the Android applications (apps). We consider different importances of the features associated with their contributions to the classification problem as well as their manipulation costs, and present a novel feature selection method (named SecCLS) to make the classifier harder to be evaded. To improve the system security while not compromising the detection accuracy, we further propose an ensemble learning approach (named SecENS) by aggregating the individual classifiers that are constructed using our proposed feature selection method SecCLS. Accordingly, we develop a system called SecureDroid which integrates our proposed methods (i.e., SecCLS and SecENS) to enhance security of machine learning-based Android malware detection. Comprehensive experiments on the real sample collections from Comodo Cloud Security Center are conducted to validate the effectiveness of SecureDroid against adversarial Android malware attacks by comparisons with other alternative defense methods. Our proposed secure-learning paradigm can also be readily applied to other malware detection tasks.
【Keywords】: Adversarial Attack; Android Malware Detection; Machine Learning
【Paper Link】 【Pages】:373-386
【Authors】: Riccardo Bortolameotti ; Thijs van Ede ; Marco Caselli ; Maarten H. Everts ; Pieter H. Hartel ; Rick Hofstede ; Willem Jonker ; Andreas Peter
【Abstract】: We present DECANTeR, a system to detect anomalous outbound HTTP communication, which passively extracts fingerprints for each application running on a monitored host. The goal of our system is to detect unknown malware and backdoor communication indicated by unknown fingerprints extracted from a host's network traffic. We evaluate a prototype with realistic data from an international organization and datasets composed of malicious traffic. We show that our system achieves a false positive rate of 0.9% for 441 monitored host machines, an average detection rate of 97.7%, and that it cannot be evaded by malware using simple evasion techniques such as using known browser user agent values. We compare our solution with DUMONT [24], the current state-of-the-art IDS which detects HTTP covert communication channels by focusing on benign HTTP traffic. The results show that DECANTeR outperforms DUMONT in terms of detection rate, false positive rate, and even evasion-resistance. Finally, DECANTeR detects 96.8% of information stealers in our dataset, which shows its potential to detect data exfiltration.
【Keywords】: Anomaly Detection; Application Fingerprinting; Data Exfiltration; Data Leakage; Network Security
【Paper Link】 【Pages】:387-398
【Authors】: Timothy Barron ; Nick Nikiforakis
【Abstract】: Honeypots constitute an invaluable piece of technology that allows researchers and security practitioners to track the evolution of break-in techniques by attackers and discover new malicious IP addresses, hosts, and victims. Even though there has been a wealth of research where researchers deploy honeypots for a period of time and report on their findings, there is little work that attempts to understand how the underlying properties of a compromised system affect the actions of attackers. In this paper, we report on a four-month long study involving 102 medium-interaction honeypots where we vary a honeypot's location, difficulty of break-in, and population of files, observing how these differences elicit different behaviors from attackers. Moreover, we purposefully leak the credentials of dedicated, hard-to-brute-force, honeypots to hacking forums and paste-sites and monitor the actions of the incoming attackers. Among others, we find that, even though bots perform specific environment-agnostic actions, human attackers are affected by the underlying environment, e.g., executing more commands on honeypots with realistic files and folder structures. Based on our findings, we provide guidance for future honeypot deployments and motivate the need for having multiple intrusion-detection systems.
【Keywords】:
【Paper Link】 【Pages】:399-411
【Authors】: Ronny Chevalier ; Maugan Villatel ; David Plaquin ; Guillaume Hiet
【Abstract】: Highly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect such attacks, we propose an event-based behavior monitoring approach that relies on an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to the monitor. This information helps to resolve the semantic gap issue. Our approach does not depend on a specific model of the behavior nor on a specific target. We apply this approach to detect attacks targeting the System Management Mode (SMM), a highly privileged x86 execution mode executing firmware code at runtime. We model the behavior of SMM using invariants of its control-flow and relevant CPU registers (CR3 and SMBASE). We instrument two open-source firmware implementations: EDKII and coreboot. We evaluate the ability of our approach to detect state-of-the-art attacks and its runtime execution overhead by simulating an x86 system coupled with an ARM Cortex A5 co-processor. The results show that our solution detects intrusions from the state of the art, without any false positives, while remaining acceptable in terms of performance overhead in the context of the SMM (i.e., less than the 150 us threshold defined by Intel).
【Keywords】: CFI; Hardware-based monitoring; SMM; co-processor; firmware
【Paper Link】 【Pages】:412-424
【Authors】: Taegyu Kim ; Chung Hwan Kim ; Hongjun Choi ; Yonghwi Kwon ; Brendan Saltaformaggio ; Xiangyu Zhang ; Dongyan Xu
【Abstract】: ARM is the leading processor architecture in the emerging mobile and embedded market. Unfortunately, there has been a myriad of security issues on both mobile and embedded systems. While many countermeasures of such security issues have been proposed in recent years, a majority of applications still cannot be patched or protected due to run-time and space overhead constraints and the unavailability of source code. More importantly, the rapidly evolving mobile and embedded market makes any platform-specific solution ineffective. In this paper, we propose RevARM, a binary rewriting technique capable of instrumenting ARM-based binaries without limitation on the target platform. Unlike many previous binary instrumentation tools that are designed to instrument binaries based on x86, RevARM must resolve a number of new, ARM-specific binary rewriting challenges. Moreover, RevARM is able to handle stripped binaries, requires no symbolic/semantic information, and supports Mach-O binaries, overcoming the limitations of existing approaches. Finally, we demonstrate the capabilities of RevARM in solving real-world security challenges. Our evaluation results across a variety of platforms, including popular mobile and embedded systems, show that RevARM is highly effective in instrumenting ARM binaries with an average of 3.2% run-time and 1.3% space overhead.
【Keywords】:
【Paper Link】 【Pages】:425-436
【Authors】: Binbin Chen ; Xinshu Dong ; Guangdong Bai ; Sumeet Jauhar ; Yueqiang Cheng
【Abstract】: For industrial control systems, ensuring the software integrity of their devices is a key security requirement. A pure software-based attestation solution is highly desirable for protecting legacy field devices that lack hardware root of trust (e.g., Trusted Platform Module). However, for the large population of field devices with ARM processors, existing software-based attestation schemes either incur long attestation time or are insecure. In this paper, we design a novel memory stride technique that significantly reduces the attestation time while remaining secure against known attacks and their advanced variants on ARM platform. We analyze the scheme's security and performance based on the formal framework proposed by Armknecht et al. [7] (with a necessary change to ensure its applicability in practical settings). We also implement memory stride on two models of real-world power grid devices that are widely deployed today, and demonstrate its superior performance.
【Keywords】: ARM Processors; Software-based attestation; industrial control devices; memory stride
【Paper Link】 【Pages】:437-448
【Authors】: Ali Abbasi ; Thorsten Holz ; Emmanuele Zambon ; Sandro Etalle
【Abstract】: Programmable Logic Controllers (PLCs) are a family of embedded devices that are being used to control physical processes in critical infrastructures. Similar to other embedded devices, PLCs are vulnerable to memory corruption and control-flow hijacking attacks. Because PLCs are being used for critical control applications, compromised PLCs constitute a significant security and safety risk. In this paper, we introduce a novel, PLC-compatible control-flow integrity (CFI) mechanism named ECFI to protect such devices from control-flow hijacking attacks. Our CFI approach is the first system for real-time PLCs and considers the runtime operation of the PLC as the highest priority. We implemented a prototype of ECFI and tested it in a real-world industrial PLC against different kinds of attacks. Our performance evaluation demonstrates that ECFI is an efficient, non-intrusive CFI solution that does not impose notable performance overhead and maintains the timeliness of PLC runtime operations, a critical property for this kind of embedded systems.
【Keywords】: Embedded System; Industrial Control System (ICS); PLC; Real-Time
【Paper Link】 【Pages】:449-460
【Authors】: Matteo Dell'Amico ; Leyla Bilge ; Ashwin Kayyoor ; Petros Efstathopoulos ; Pierre-Antoine Vervier
【Abstract】: Most websites, services, and applications have come to rely on Internet services (e.g., DNS, CDN, email, WWW, etc.) offered by third parties. Although employing such services generally improves reliability and cost-effectiveness, it also creates dependencies on service providers, which may expose websites to additional risks, such as DDoS attacks or cascading failures. As cloud services are becoming more popular, an increasing percentage of the overall Internet ecosystem relies on a decreasing number of highly popular services. In our general effort to assess the security risk for a given entity, and motivated by the effects of recent service disruptions, we perform a large-scale analysis of passive and active DNS datasets including more than 2.5 trillion queries in order to discover the dependencies between websites and Internet services. In this paper, we present the findings of our DNS dataset analysis, and attempt to expose important insights about the ecosystem of dependencies. To further understand the nature of dependencies, we perform graph-theoretic analysis on the dependency graph and propose support power, a novel power measure that can quantify the amount of dependence websites and other services have on a particular service. Our DNS analysis findings reveal that the current service ecosystem is dominated by a handful of popular service providers---with Amazon being the leader, by far---whose popularity is steadily increasing. These findings are further supported by our graph analysis results, which also reveals a set of less-popular services that many (regional) websites depend on.
【Keywords】:
【Paper Link】 【Pages】:461-473
【Authors】: Changhoon Yoon ; Seungwon Shin ; Phillip A. Porras ; Vinod Yegneswaran ; Heedo Kang ; Martin W. Fong ; Brian O'Connor ; Thomas Vachuska
【Abstract】: Management approaches to modern networks are increasingly influenced by software-defined networks (SDNs), and this increased influence is reflected in the growth of commercially available innovative SDN-based switches, controllers and applications. To date, there have been a number of commercial and open-source SDN operating systems (NOS) introduced for various purposes, including distributed controller frameworks targeting large, carrier-grade networks such as the Open Network Operating System (ONOS) and OpenDayLight (ODL). These frameworks are distinguished by their (i) elastic cluster controller architecture, (ii) network virtualization support, and (iii) modular design. Given their flexible design, growing list of supported features, and collaborative community support, these are attractive hosting platforms for a wide range of third-party distributed network management applications. This paper identifies the common security requirements for policy enforcement in such distributed controller environments. We present the design of a network application permission-enforcement model and an integrated security subsystem (SM-ONOS) for managing distributed applications running on an ONOS controller. We discuss the underlying motivations of its security extensions and their implications for improving our understanding of how to securely manage large-scale SDNs. Our performance assessments demonstrate that the security-mode extension imposed reasonable overheads (ranging from 5 to 20% for 1-7 node clusters).
【Keywords】:
【Paper Link】 【Pages】:474-485
【Authors】: Jelena Mirkovic ; Erik Kline ; Peter L. Reiher
【Abstract】: IP spoofing has been a persistent Internet security threat for decades. While research solutions exist that can help an edge network detect spoofed and reflected traffic, the sheer volume of such traffic requires handling further upstream. We propose RESECT---a self-learning spoofed packet filter that detects spoofed traffic upstream from the victim by combining information about the traffic's expected route and about the sender's response to a few packet drops. RESECT is unique in its ability to autonomously learn correct filtering rules when routes change, or when routing is asymmetric or multipath. Its operation has a minimal effect on legitimate traffic, while it quickly detects and drops spoofed packets. In isolated deployment, RESECT greatly reduces spoofed traffic to the deploying network and its customers, to 8-26% of its intended rate. If deployed at 50 best-connected autonomous systems, RESECT protects the deploying networks and their customers from 99% of spoofed traffic, and filters 91% of spoofed traffic sent to any other destination. RESECT is thus both a practical and highly effective solution for IP spoofing defense.
【Keywords】: DDoS defense; IP spoofing; traffic filtering
【Paper Link】 【Pages】:486-498
【Authors】: Adam J. Aviv ; John T. Davin ; Flynn Wolf ; Ravi Kuber
【Abstract】: Given the nature of mobile devices and unlock procedures, unlock authentication is a prime target for credential leaking via shoulder surfing, a form of an observation attack. While the research community has investigated solutions to minimize or prevent the threat of shoulder surfing, our understanding of how the attack performs on current systems is less well studied. In this paper, we describe a large online experiment (n = 1173) that works towards establishing a baseline of shoulder surfing vulnerability for current unlock authentication systems. Using controlled video recordings of a victim entering in a set of 4- and 6-length PINs and Android unlock patterns on different phones from different angles, we asked participants to act as attackers, trying to determine the authentication input based on the observation. We find that 6-digit PINs are the most elusive attacking surface where a single observation leads to just 10.8% successful attacks (26.5% with multiple observations). As a comparison, 6-length Android patterns, with one observation, were found to have an attack rate of 64.2% (79.9% with multiple observations). Removing feedback lines for patterns improves security to 35.3% (52.1% with multiple observations). This evidence, as well as other results related to hand position, phone size, and observation angle, suggests the best and worst case scenarios related to shoulder surfing vulnerability which can both help inform users to improve their security choices, as well as establish baselines for researchers.
【Keywords】: PIN passwords; Shoulder surfing; graphical passwords; mobile authentication; mobile security; password security; usable security
【Paper Link】 【Pages】:499-511
【Authors】: Maliheh Shirvanian ; Nitesh Saxena ; Jesvin James George
【Abstract】: Many widely used Internet messaging and calling apps, such as WhatsApp, Viber, Telegram, and Signal, have deployed an end-to-end encryption functionality. To defeat potential man-in-the-middle attackers against the key exchange protocol, the approach crucially relies upon users to perform a code verification task whereby each user must compare the code (a fingerprint of the cryptographic keys) computed by her app with the one computed by the other user's app and reject the session if the two codes do not match. In this paper, we study the security and usability of this human-centered code verification task for a prominent setting where the end users are remotely located, and compare it as a baseline to a potentially less frequent scenario where the end users are in close proximity. We consider several variations of the code presentation and code verification methods, incorporated into representative real-world apps, including codes encoded as numbers or images, displayed on the screen, and verbally spoken by the users. We perform a carefully-designed human factors study in a lab setting to quantify the security and usability of these different methods. Our study results expose key weaknesses in the security and usability of the code verification methods employed in the remote end-to-end encryption apps. First, we show that generally most code verification methods offer poor security (high false accepts) and low usability (high false rejects and low user experience ratings) in the remote setting. Second, we demonstrate that, security and usability under the remote code verification setting is significantly lower than that in the proximity code verification setting. We attribute this result to the increased cognitive overhead associated with comparing the codes across two apps on the same device (remote setting) rather than across two devices (proximity setting). Overall, our work serves to highlight a serious fundamental vulnerability of Internet-based communication apps in the remote setting stemming from human errors.
【Keywords】: end-to-end encryption; fingerprint verification; key exchange validation; mobile app security
【Paper Link】 【Pages】:512-527
【Authors】: Hoyeon Lee ; Seungyeon Kim ; Taekyoung Kwon
【Abstract】: A small touch sensor employed in smartphones can only capture a partial limited portion of the full fingerprint, and so it is more vulnerable to fingerprint spoofing attacks that leverage a user's firm impression. However, it is still unknown whether daily smudges remaining on the smartphone surface can be exploited to circumvent the small touch sensor. In this paper, we first study how to exploit the fingerprint smudges left on the smartphone surface in daily use, and present the so-called fingerprint SCRAP attack, which uses smudges remaining on the home button and touch screen to reconstruct an image of the enrolled fingerprint in good quality. We conduct an experimental study to show the actual risk regarding this attack. We collect 403 latent fingerprints from the smudges left on the touch screens (361) and home buttons (42) by seven users in six conditions (tapping, passcode-typing, text-typing, facebook, in-pocket, wiping). Using them, we perform our attack and evaluate the results in comparison with the firmly impressed fingerprints. The study results indicate that our attack is actual risk to the small touch sensors. We then investigate the user's touch behavior and perception gap. We conduct in-person surveys involving 82 participants, and ask about their touch behaviors and also their risk perception regarding the latent fingerprints. The survey results show that the fingers most frequently used on a touch screen and a home button are the same, and the user's risk perception is very low. We finally discuss mitigation methods and future directions.
【Keywords】: fingerprint; smartphone; smudge; touch sensor; user perception
【Paper Link】 【Pages】:528-541
【Authors】: Peter C. Johnson ; Sergey Bratus ; Sean W. Smith
【Abstract】: Recent efforts to harden hosts against malicious USB devices have focused on the higher layers of the protocol. We present a domain-specific language (DSL) to create a bit-level model of the USB protocol, from which we automatically generate software components that exhaustively validate the bit-level syntax of protocol messages. We use these generated components to create a stateful, connection-tracking firewall for USB. We integrate this firewall with the FreeBSD kernel and demonstrate that it achieves complete mediation of USB traffic, thus protecting the rest of the kernel, including higher-level policy mechanisms such as USBFilter, from low-level attacks via maliciously crafted packets. In addition to in-kernel data structures and packet validation routines, our system generates a user-level policy engine that allows for flexible and expressive firewall behavior beyond mere message syntax validation, as well as functions for pretty-printing packets (which can be used in both the kernel and in protocol analysis software). We use a Haskell back-end to generate C code that we integrate with the FreeBSD kernel, thus making our entire system amenable to formal verification.
【Keywords】:
【Paper Link】 【Pages】:542-552
【Authors】: Junya Ogasawara ; Kenji Kono
【Abstract】: Vulnerabilities in hypervisors are crucial in multi-tenant clouds since they can undermine the security of all virtual machines (VMs) consolidated on a vulnerable hypervisor. Unfortunately, 107 vulnerabilitiesin KVM+QEMU and 38 vulnerabilities in Xen have been reported in 2016. The device-emulation layer in hypervisors is a hotbed of vulnerabilities because the code for virtualizing devices is complicated and requires knowledge on the device internals. We propose a "device request filter", called Nioh, that raises the bar for attackers to exploit the vulnerabilities in hypervisors. The key insight behind Nioh is that malicious I/O requests attempt to exploit vulnerabilities and violate device specifications in many cases. Nioh inspects I/O requests from VMs and rejects those that do not conform to a device specification. A device specification is modeled as a device automaton in Nioh, an extended automaton to facilitate the description of device specifications. The software framework is also provided to encapsulate the interactions between the device request filter and the underlying hypervisors. The results of our attack evaluation suggests that Nioh can defend against attacks that exploit vulnerabilities in device emulation, i.e., CVE-2015-5158, CVE-2016-1568, CVE-2016-4439, and CVE-2016-7909. This paper shows that the notorious VENOM attack can be detected and rejected by using Nioh.
【Keywords】: VENOM; Virtual Device; Virtualization
【Paper Link】 【Pages】:553-565
【Authors】: Haining Chen ; Ninghui Li ; William Enck ; Yousra Aafer ; Xiangyu Zhang
【Abstract】: Android has become a dominant computing platform, and its popularity has coincided with a surge of malware. The incorporation of Security-Enhanced Linux in Android (SEAndroid) is an important security enhancement to the platform. While SEAndroid adds the benefits of mandatory protection that SELinux brought to desktops and servers, the protection is only as good as the policy. Existing Android devices contain a wide variety of SEAndroid policies, depending on both the version of Android as well as the device manufacturer. In this paper, we present an approach to analyze SEAndroid policies in conjunction with the underlying Linux/Unix Discretionary Access Control policies. We apply our approach to four different versions of Android Open Source Project (AOSP) as well as devices from seven different manufacturers, and find several forms of unintentional privilege assignments.
【Keywords】: Android; DAC; MAC; Policy Analysis; SEAndroid
【Paper Link】 【Pages】:566-576
【Authors】: Xiyue Deng ; Jelena Mirkovic
【Abstract】: Differential privacy has emerged as a promising mechanism for privacy-safe data mining. One popular differential privacy mechanism allows researchers to pose queries over a dataset, and adds random noise to all output points to protect privacy. While differential privacy produces useful data in many scenarios, added noise may jeopardize utility for queries posed over small populations or over long-tailed datasets. Gehrke et al. proposed crowd-blending privacy, with random noise added only to those output points where fewer than k individuals (a configurable parameter) contribute to the point in the same manner. This approach has a lower privacy guarantee, but preserves more research utility than differential privacy. We propose an even more liberal privacy goal---commoner privacy---which fuzzes (omits, aggregates or adds noise to) only those output points where an individual's contribution to this point is an outlier. By hiding outliers, our mechanism hides the presence or absence of an individual in a dataset. We propose one mechanism that achieves commoner privacy---interactive k-anonymity. We also discuss query composition and show how we can guarantee privacy via either a pre-sampling step or via query introspection. We implement interactive k-anonymity and query introspection in a system called Patrol for network trace processing. Our evaluation shows that commoner privacy prevents common attacks while preserving orders of magnitude higher research utility than differential privacy, and at least 9-49 times the utility of crowd-blending privacy.
【Keywords】: data sharing; network traces; privacy
【Paper Link】 【Pages】:577-589
【Authors】: Devashish Gosain ; Anshika Agarwal ; Sambuddho Chakravarty ; H. B. Acharya
【Abstract】: Decoy Routing, the use of routers (rather than end hosts) as proxies, is a new direction in anti-censorship research. Decoy Routers (DRs), placed in Autonomous Systems, proxy traffic from users; so the adversary, e.g. a censorious government, attempts to avoid them. It is quite difficult to place DRs so the adversary cannot route around them -- for example, we need the cooperation of 850 ASes to contain China alone [1]. In this paper, we consider a different approach. We begin by noting that DRs need not intercept all the network paths from a country, just those leading to Overt Destinations, i.e. unfiltered websites hosted outside the country (usually popular ones, so that client traffic to the OD does not make the censor suspicious). Our first question is -- How many ASes are required for installing DRs to intercept a large fraction of paths from e.g. China to the top-n websites (as per Alexa)? How does this number grow with n ? To our surprise, the same few (≈ 30) ASes intercept over 90% of paths to the top n sites worldwide, for n = 10, 20...200 and also to other destinations. Investigating further, we find that this result fits perfectly with the hierarchical model of the Internet [2]; our first contribution is to demonstrate with real paths that the number of ASes required for a world-wide DR framework is small (≈ 30). Further, censor nations' attempts to filter traffic along the paths transiting these 30 ASes will not only block their own citizens, but others residing in foreign ASes. Our second contribution in this paper is to consider the details of DR placement: not just in which ASes DRs should be placed to intercept traffic, but exactly where in each AS. We find that even with our small number of ASes, we still need a total of about 11, 700 DRs. We conclude that, even though a DR system involves far fewer ASes than previously thought, it is still a major undertaking. For example, the current routers cost over 10.3 billion USD, so if Decoy Routing at line speed requires all-new hardware, the cost alone would make such a project unfeasible for most actors (but not for major nation states).
【Keywords】: Anti-Censorship; Decoy Routing; Internet topology; Traceroute
【Paper Link】 【Pages】:590-602
【Authors】: Michael Weissbacher ; Enrico Mariconti ; Guillermo Suarez-Tangil ; Gianluca Stringhini ; William K. Robertson ; Engin Kirda
【Abstract】: Web browsers have become the predominant means for developing and deploying applications, and thus they often handle sensitive data such as social interactions or financial credentials and information. As a consequence, defensive measures such as TLS, the Same-Origin Policy (SOP), and Content Security Policy (CSP) are critical for ensuring that sensitive data remains in trusted hands. Browser extensions, while a useful mechanism for allowing third-party extensions to core browser functionality, pose a security risk in this regard since they have access to privileged browser APIs that are not necessarily restricted by the SOP or CSP. Because of this, they have become a major vector for introducing malicious code into the browser. Prior work has led to improved security models for isolating and sandboxing extensions, as well as techniques for identifying potentially malicious extensions. The area of privacy-violating browser extensions has so far been covered by manual analysis and systems performing search on specific text on network traffic. However, comprehensive content-agnostic systems for identifying tracking behavior at the network level are an area that has not yet received significant attention. In this paper, we present a dynamic technique for identifying privacy-violating extensions in Web browsers that relies solely on observations of the network traffic patterns generated by browser extensions. We then present Ex-Ray, a prototype implementation of this technique for the Chrome Web browser, and use it to evaluate all extensions from the Chrome store with more than 1,000 installations (10,691 in total). Our evaluation finds new types of tracking behavior not covered by state of the art systems. Finally, we discuss potential browser improvements to prevent abuse by future user-tracking extensions.
【Keywords】: