Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, December 03-07, 2018. ACM 【DBLP Link】
【Paper Link】 【Pages】:1-16
【Authors】: Shachee Mishra ; Michalis Polychronakis
【Abstract】: Code reuse attacks have been a threat to software security since the introduction of non-executable memory protections. Despite significant advances in various types of additional defenses, such as control flow integrity (CFI) and leakage-resilient code randomization, recent code reuse attacks have demonstrated that these defenses are often not enough to prevent successful exploitation. Sophisticated exploits can reuse code comprising larger code fragments that conform to the enforced CFI policy and which are not affected by randomization. As a step towards improving our defenses against code reuse attacks, in this paper we present Shredder, a defense-in-depth exploit mitigation tool for the protection of closed-source applications. In a preprocessing phase, Shredder statically analyzes a given application to pinpoint the call sites of potentially useful (to attackers) system API functions, and uses backwards data flow analysis to derive their expected argument values and generate whitelisting policies in a best-effort way. At runtime, using library interposition, Shredder exposes to the protected application only specialized versions of these critical API functions, and blocks any invocation that violates the enforced policy. We have experimentally evaluated our prototype implementation for Windows programs using a large set of 251 shellcode and 30 code reuse samples, and show that it improves significantly upon code stripping, a state-of-the-art code surface reduction technique, by blocking a larger number of malicious payloads with negligible runtime overhead.
【Keywords】:
【Paper Link】 【Pages】:17-27
【Authors】: Erik van der Kouwe ; Taddeus Kroes ; Chris Ouwehand ; Herbert Bos ; Cristiano Giuffrida
【Abstract】: Temporal memory errors, such as use-after-free bugs, are increasingly popular among attackers and their exploitation is hard to stop efficiently using current techniques. We present a new design, called Type-After-Type, which builds on abstractions in production allocators to provide complete temporal type safety for C/C++ programs---ensuring that memory reuse is always type safe---and efficiently hinder temporal memory attacks. Type-After-Type uses static analysis to determine the types of all heap and stack allocations, and replaces regular allocations with typed allocations that never reuse memory previously used by other types. On the heap, Type-After-Type splits available memory into separate pools for each type. For the stack, Type-After-Type efficiently implements type-safe memory reuse for the first time, pushing variables on separate stacks according to their types, unless they are provably safe (e.g., their address is not taken), in which case they are zero-initialized and kept on a special stack. In our evaluation, we show that Type-After-Type stops a variety of real-world temporal memory attacks and on SPEC CPU2006 incurs a performance overhead of 4.3% and a memory overhead of 17.4% (geomean).
【Keywords】: LLVM; Use-after-free; computer systems; defense; uninitialized read
【Paper Link】 【Pages】:28-39
【Authors】: Reza Mirzazade Farkhani ; Saman Jafari ; Sajjad Arshad ; William K. Robertson ; Engin Kirda ; Hamed Okhravi
【Abstract】: Control flow integrity (CFI) has received significant attention in the community to combat control hijacking attacks in the presence of memory corruption vulnerabilities. The challenges in creating a practical CFI has resulted in the development of a new type of CFI based on runtime type checking (RTC). RTC-based CFI has been implemented in a number of recent practical efforts such as GRSecurity Reuse Attack Protector (RAP) and LLVM-CFI. While there has been a number of previous efforts that studied the strengths and limitations of other types of CFI techniques, little has been done to evaluate the RTC-based CFI. In this work, we study the effectiveness of RTC from the security and practicality aspects. From the security perspective, we observe that type collisions are abundant in sufficiently large code bases but exploiting them to build a functional attack is not straightforward. Then we show how an attacker can successfully bypass RTC techniques using a variant of ROP attacks that respect type checking (called TROP) and also built two proof-of-concept exploits, one against Nginx web server and the other against Exim mail server. We also discuss practical challenges of implementing RTC. Our findings suggest that while RTC is more practical for applying CFI to large code bases, its policy is not strong enough when facing a motivated attacker.
【Keywords】:
【Paper Link】 【Pages】:40-52
【Authors】: Mohsen Ahmadvand ; Anahit Hayrapetyan ; Sebastian Banescu ; Alexander Pretschner
【Abstract】: Oblivious hashing (OH) is an integrity protection technique that checks the (side) effects resulting from the executed code, in contrast to checking the code itself as done by self-checking (SC). SC introduces atypical behavior in the program logic, like reading the code section loaded in memory. Since such atypical behavior can be detected by attackers, OH is more appealing to be employed in practice than SC. However, OH is incapable of protecting a presumable majority of program instructions, those that depend on nondeterministic (input) data or branches, which have to be manually identified and subsequently skipped. In this paper, we extend OH into a practical protection scheme by proposing i) a technique for automatic segregation of deterministic instructions, and ii) a novel extension, Short Range Oblivious Hashing (SROH), for OH to cover control-flow instructions dependent on nondeterministic data. Our SROH technique increases the range of instructions that OH can protect to nondeterministic branches. Moreover, we intertwine OH with SC to cover (nondeterministic) data dependent instructions and enhance the resilience against tampering attacks. We evaluate the performance overhead as well as the security of our scheme using the MiBench dataset and 3 open source games. Our experiments show that the proposed technique yields a 20-fold increase in the median number of protected instructions and, on non-CPU-intensive programs, imposes an overhead of 52%.
【Keywords】: Man-At-The-End; Oblivious hashing; Self-checking; Software protection; Tamper detection
【Paper Link】 【Pages】:53-65
【Authors】: Ximing Liu ; Yingjiu Li ; Robert H. Deng
【Abstract】: Two-factor authentication (2FA) systems provide another layer of protection to users' accounts beyond password. Traditional hardware token based 2FA and software token based 2FA are not burdenless to users since they require users to read, remember, and type a onetime code in the process, and incur high costs in deployments or operations. Recent 2FA mechanisms such as Sound-Proof, reduce or eliminate users' interactions for the proof of the second factor; however, they are not designed to be used in certain settings (e.g., quiet environments or PCs without built-in microphones), and they are not secure in the presence of certain attacks (e.g., sound-danger attack and co-located attack). To address these problems, we propose Typing-Proof, a usable, secure and low-cost two-factor authentication mechanism. Typing-Proof is similar to software token based 2FA in a sense that it uses password as the first factor and uses a registered phone to prove the second factor. During the second-factor authentication procedure, it requires a user to type any random code on a login computer and authenticates the user by comparing the keystroke timing sequence of the random code recorded by the login computer with the sounds of typing random code recorded by the user's registered phone. Typing-Proof can be reliably used in any settings and requires zero user-phone interaction in the most cases. It is practically secure and immune to the existing attacks to recent 2FA mechanisms. In addition, Typing-Proof enables significant cost savings for both service providers and users.
【Keywords】:
【Paper Link】 【Pages】:66-76
【Authors】: Shane McCulley ; Vassil Roussev
【Abstract】: The use of typing biometrics---the characteristic typing patterns of individual keyboard users---has been studied extensively in the context of enhancing multi-factor authentication services. The key starting point for such work has been the collection of high-fidelity local timing data, and the key (implicit) security assumption has been that such biometrics could not be obtained by other means. We show that the latter assumption to be false, and that it is entirely feasible to obtain useful typing biometric signatures from third-party timing logs. Specifically, we show that the logs produced by realtime collaboration services during their normal operation are of sufficient fidelity to successfully impersonate a user using remote data only. Since the logs are routinely shared as a byproduct of the services' operation, this creates an entirely new avenue of attack that few users would be aware of. As a proof of concept, we construct successful biometric attacks using only the log-based structure (complete editing history) of a shared Google Docs, or Zoho Writer, document which is readily available to all contributing parties. Using the largest available public data set of typing biometrics, we are able to create successful forgeries 100% of the time against a commercial biometric service. Our results suggest that typing biometrics are not robust against practical forgeries, and should not be given the same weight as other authentication factors. Another important implication is that the routine collection of detailed timing logs by various online services also inherently (and implicitly) contains biometrics. This not only raises obvious privacy concerns, but may also undermine the effectiveness of network anonymization solutions, such as ToR, when used with existing services.
【Keywords】: authorship attribution; cloud forensics; cloud security; keystroke dynamics; multifactor authentication; online collaboration; privacy; typing biometrics
【Paper Link】 【Pages】:77-88
【Authors】: Zhe Zhou ; Di Tang ; Wenhao Wang ; Xiaofeng Wang ; Zhou Li ; Kehuan Zhang
【Abstract】: QR-code mobile payment becomes increasingly popular, being offered by major banks (e.g., ICBC) and payment service providers (e.g., PayPal). Unlike mobile payment solutions provided by hardware vendors (e.g., Apple Pay and Samsung Pay), QR code payment schemes do not rely on any hardware support and can therefore be easily deployed. However, the security guarantee of the new scheme is less clear: in the absence of hardware protection, users' digital wallet can be vulnerable to an OS-level adversary, who could steal her secret for generating payment tokens. We find that the physical features of a phone's screen can enhance the security protection of this QR-code payment, serving as a second-factor authentication. Due to manufacturing imperfections, the luminance levels of the pixels on the screen vary across the screen's display area, which can be used to uniquely characterize the screen. This physical fingerprint cannot be stolen even when the OS is fully compromised, since the adversary cannot observe the physical features of the screen. However, screen fingerprinting could also undermine the mobile payer's privacy, as less trusted merchants could use it to track customers and infer their purchase history and preferences. In this paper, we propose a new authentication solution that anonymously fingerprints mobile screens. The approach, called AnonPrint obfuscates a screen, which hides its fingerprint from the merchants. In the meantime, the payment provider, who shares a secret with the payer, is able to reconstruct the mask and authenticate the payer through her obfuscated fingerprint.
【Keywords】:
【Paper Link】 【Pages】:89-100
【Authors】: Bo Lu ; Xiaokuan Zhang ; Ziman Ling ; Yinqian Zhang ; Zhiqiang Lin
【Abstract】: Text passwords remain a primary means for user authentication on modern computer systems. However, recent studies have shown the promises of guessing user passwords efficiently with auxiliary information of the targeted accounts, such as the users' personal information, previously used passwords, or those used in other systems. Authentication rate-limiting mechanisms, such as account lockout and login throttling, are common methods to defeat online password cracking attacks. But to date, no published studies have investigated how authentication rate-limiting is implemented by popular websites. In this paper, we present a measurement study of such countermeasures against online password cracking. Towards this end, we propose a black-box approach to modeling and validating the websites' implementation of the rate-limiting mechanisms. We applied the tool to examine all 182 websites that we were able to analyze in the Alexa Top 500 websites in the United States. The results are rather surprising: 131 websites (72%) allow frequent, unsuccessful login attempts without account lockout or login throttling (though some of these websites force the adversary to lower the login frequency or constantly change his IP addresses to circumvent the rate-limiting enforcement). The remaining 51 websites are not absolutely secure either: 28 websites may block a legitimate user with correct passwords when the account is locked out, effectively enabling authentication denial-of-service attacks.
【Keywords】: Authentication; Measurement; Rate-limiting
【Paper Link】 【Pages】:101-111
【Authors】: Fady Copty ; Matan Danos ; Orit Edelstein ; Cindy Eisner ; Dov Murik ; Benjamin Zeltser
【Abstract】: Modern malware applies a rich arsenal of evasion techniques to render dynamic analysis ineffective. In turn, dynamic analysis tools take great pains to hide themselves from malware; typically this entails trying to be as faithful as possible to the behavior of a real run. We present a novel approach to malware analysis that turns this idea on its head, using an extreme abstraction of the operating system that intentionally strays from real behavior. The key insight is that the presence of malicious behavior is sufficient evidence of malicious intent, even if the path taken is not one that could occur during a real run of the sample. By exploring multiple paths in a system that only approximates the behavior of a real system, we can discover behavior that would often be hard to elicit otherwise. We aggregate features from multiple paths and use a funnel-like configuration of machine learning classifiers to achieve high accuracy without incurring too much of a performance penalty. We describe our system, TAMALES (The Abstract Malware Analysis LEarning System), in detail and present machine learning results using a 330K sample set showing an FPR (False Positive Rate) of 0.10% with a TPR (True Positive Rate) of 99.11%, demonstrating that extreme abstraction can be extraordinarily effective in providing data that allows a classifier to accurately detect malware.
【Keywords】: Analysis; Classification; Detection; Malware
【Paper Link】 【Pages】:112-123
【Authors】: Aravind Machiry ; Nilo Redini ; Eric Gustafson ; Yanick Fratantonio ; Yung Ryn Choe ; Christopher Kruegel ; Giovanni Vigna
【Abstract】: In the past few years, both the industry and the academic communities have developed several approaches to detect malicious Android apps. State-of-the-art research approaches achieve very high accuracy when performing malware detection on existing datasets. These approaches perform their malware classification tasks in an "offline" scenario, where malware authors cannot learn from and adapt their malicious apps to these systems. In real-world deployments, however, adversaries get feedback about whether their app was detected, and can react accordingly by transforming their code until they are able to influence the classification. In this work, we propose a new approach for detecting Android malware that is designed to be resilient to feature-unaware perturbations without retraining. Our work builds on two key ideas. First, we consider only a subset of the codebase of a given app, both for precision and performance aspects. For this paper, our implementation focuses exclusively on the loops contained in a given app. We hypothesize, and empirically verify, that the code contained in apps' loops is enough to precisely detect malware. This provides the additional benefits of being less prone to noise and errors, and being more performant. The second idea is to build a feature space by extracting a set of labels for each loop, and by then considering each unique combination of these labels as a different feature: The combinatorial nature of this feature space makes it prohibitively difficult for an attacker to influence our feature vector and avoid detection, without access to the specific model used for classification. We assembled these techniques into a prototype, called LoopMC, which can locate loops in applications, extract features, and perform classification, without requiring source code. We used LoopMC to classify about 20,000 benign and malicious applications. While focusing on a smaller portion of the program may seem counterintuitive, the results of these experiments are surprising: our system achieves a classification accuracy of 99.3% and 99.1% for the Malware Genome Project and VirusShare datasets respectively, which outperforms previous approaches. We also evaluated LoopMC, along with the related work, in the context of various evasion techniques, and show that our system is more resilient to evasion.
【Keywords】: Android; Loops; Malware Detection; Random Forest
【Paper Link】 【Pages】:124-136
【Authors】: Alina Oprea ; Zhou Li ; Robin Norris ; Kevin D. Bowers
【Abstract】: Enterprises are targeted by various malware activities at a staggering rate. To counteract the increased sophistication of cyber attacks, most enterprises deploy within their perimeter a number of security technologies, including firewalls, antivirus software, and web proxies, as well as specialized teams of security analysts forming Security Operations Centers (SOCs). In this paper we address the problem of detecting malicious activity in enterprise networks and prioritizing the detected activities according to their risk. We design a system called MADE using machine learning applied to data extracted from security logs. MADE leverages an extensive set of features for enterprise malicious communication and uses supervised learning in a novel way for prioritization, rather than detection, of enterprise malicious activities. MADE has been deployed in a large enterprise and used by SOC analysts. Over one month, MADE successfully prioritizes the most risky domains contacted by enterprise hosts, achieving a precision of 97% in 100 detected domains, at a very small false positive rate. We also demonstrate MADE's ability to identify new malicious activities (18 out of 100) overlooked by state-of-the-art security technologies.
【Keywords】:
【Paper Link】 【Pages】:137-146
【Authors】: Juan Echeverría ; Emiliano De Cristofaro ; Nicolas Kourtellis ; Ilias Leontiadis ; Gianluca Stringhini ; Shi Zhou
【Abstract】: Botnets in online social networks are increasingly often affecting the regular flow of discussion, attacking regular users and their posts, spamming them with irrelevant or offensive content, and even manipulating the popularity of messages and accounts. Researchers and cybercriminals are involved in an arms race, and new and updated botnets designed to defeat current detection systems are constantly developed, rendering such detection systems obsolete. In this paper, we motivate the need for a generalized evaluation in Twitter bot detection and propose a methodology to evaluate bot classifiers by testing them on unseen bot classes. We show that this methodology is empirically robust, using bot classes of varying sizes and characteristics and reaching similar results, and argue that methods trained and tested on single bot classes or datasets might not able to generalize to new bot classes. We train one such classifier on over 200,000 data points and show that it achieves over 97% accuracy. The data used to train and test this classifier includes some of the largest and most varied collections of bots used in literature. We then test this theoretically sound classifier using our methodology, highlighting that it does not generalize well to unseen bot classes. Finally, we discuss the implications of our results, and reasons why some bot classes are easier and faster to detect than others.
【Keywords】: Big Data; Botnets; Classification; Generalization; Social Networks; Twitter Bots
【Paper Link】 【Pages】:147-160
【Authors】: Nicola Tuveri ; Sohaib ul Hassan ; Cesar Pereida García ; Billy Bob Brumley
【Abstract】: SM2 is a public key cryptography suite originating from Chinese standards, including digital signatures and public key encryption. Ahead of schedule, code for this functionality was recently mainlined in OpenSSL, marked for the upcoming 1.1.1 release. We perform a security review of this implementation, uncovering various deficiencies ranging from traditional software quality issues to side-channel risks. To assess the latter, we carry out a side-channel security evaluation and discover that the implementation hits every pitfall seen for OpenSSL's ECDSA code in the past decade. We carry out remote timings, cache timings, and EM analysis, with accompanying empirical data to demonstrate secret information leakage during execution of both digital signature generation and public key decryption. Finally, we propose, implement, and empirically evaluate countermeasures.
【Keywords】: OpenSSL; SM2; TVLA; applied cryptography; cache-timing attacks; power analysis; public key cryptography; side-channel analysis; software engineering; timing attacks
【Paper Link】 【Pages】:161-173
【Authors】: Jan Wichelmann ; Ahmad Moghimi ; Thomas Eisenbarth ; Berk Sunar
【Abstract】: Microarchitectural side channels expose unprotected software to information leakage attacks where a software adversary is able to track runtime behavior of a benign process and steal secrets such as cryptographic keys. As suggested by incremental software patches for the RSA algorithm against variants of side-channel attacks within different versions of cryptographic libraries, protecting security-critical algorithms against side channels is an intricate task. Software protections avoid leakages by operating in constant time with a uniform resource usage pattern independent of the processed secret. In this respect, automated testing and verification of software binaries for leakage-free behavior is of importance, particularly when the source code is not available. In this work, we propose a novel technique based on Dynamic Binary Instrumentation and Mutual Information Analysis to efficiently locate and quantify memory based and control-flow based microarchitectural leakages. We develop a software framework named MicroWalk for side-channel analysis of binaries which can be extended to support new classes of leakage. For the first time, by utilizing MicroWalk, we perform rigorous leakage analysis of two widely-used closed-source cryptographic libraries: Intel IPP and Microsoft CNG. We analyze 15 different cryptographic implementations consisting of 112 million instructions in about 105 minutes of CPU time. By locating previously unknown leakages in hardened implementations, our results suggest that MicroWalk can efficiently find microarchitectural leakages in software binaries.
【Keywords】: binary instrumentation; cache attacks; constant time; cryptographic implementations; dynamic program analysis; microarchitectural leakage; mutual information; side channel
【Paper Link】 【Pages】:174-186
【Authors】: Tianwei Zhang ; Yinqian Zhang ; Ruby B. Lee
【Abstract】: Cache side-channel attacks aim to breach the confidentiality of a computer system and extract sensitive secrets through CPU caches. In the past years, different types of side-channel attacks targeting a variety of cache architectures have been demonstrated. Meanwhile, different defense methods and systems have also been designed to mitigate these attacks. However, quantitatively evaluating the effectiveness of these attacks and defenses has been challenging. We propose a generic approach to evaluating cache side-channel attacks and defenses. Specifically, our method builds a deep neural network with its inputs as the adversary's observed information, and its outputs as the victim's execution traces. By training the neural network, the relationship between the inputs and outputs can be automatically discovered. As a result, the prediction accuracy of the neural network can serve as a metric to quantify how much information the adversary can obtain correctly, and how effective a defense solution is in reducing the information leakage under different attack scenarios. Our evaluation suggests that the proposed method can effectively evaluate different attacks and defenses.
【Keywords】:
【Paper Link】 【Pages】:187-197
【Authors】: Weixin Liang ; Kai Bu ; Ke Li ; Jinhong Li ; Arya Tavakoli
【Abstract】: Access patterns over untrusted memory have long been exploited to infer sensitive information like program types or even secret keys. Most existing obfuscation solutions hide real memory accesses among a sufficiently large number of dummy memory accesses. Such solutions lead to a heavy communication overhead and more often apply to the client/server scenario instead of the CPU/memory architecture. Sporadic obfuscation solutions strive for an affordable memory bandwidth cost at the expense of security degradation. For example, they may have to obfuscate accesses over a limited range of memory space to control the overhead. In this paper, we present MemCloak to obfuscate accesses throughout the entire memory space with an 0(1) communication overhead. We advocate leveraging data redundancy to achieve extremely efficient obfuscation. Loading multiple duplicates of a data block in memory, MemCloak enables the CPU to fetch the same data by accessing different memory locations. This breaks the condition for snooping the access pattern. Moreover, we leverage data aggregation to improve memory utilization. It enables the CPU to fetch the same aggregated data block times from the same memory location but each time for a different data block therein. This further prohibits an attacker from correlating memory accesses. We propose a series of optimization techniques to compress the position that tracks memory layout. The optimized position map is hundreds of times smaller than the traditional position map. It takes only several megabytes for protecting a 4 GB memory and can fit in an on-chip cache or buffer. We implement MemCloak using the gem5 simulator and validate its performance using highly memory-intensive MiBench benchmarks.
【Keywords】: Access pattern obfuscation; Oblivious RAM; side-channel attack
【Paper Link】 【Pages】:198-209
【Authors】: Mohsin Junaid ; Jiang Ming ; David Chenho Kung
【Abstract】: Profit-driven cyber-criminals are motivated to prolong Android malware's lifetime by hiding malicious behaviors from raising suspicion. Stealthy malware has become an emerging challenge to Android security as it can remain undetected for quite a long time. However, traditional defense techniques are insufficient in face of this new threat. Our in-depth study on published malware analysis reports and corresponding code analysis leads to three key observations: 1) a stealthy attack goes through multiple states; 2) state transitions are caused by a sequence of attack actions; 3) an attack action typically involves several Android APIs on different objects. These insights motivate us to design a two-layer finite state machine (FSM) model, named StateDroid, to depict multi-step stealthy attacks in terms of state transitions. Our goal is to reason about various stealthy attacks from an Android app in one pass. However, the heterogeneous characteristics of attack actions make automatic construction of accurate detection model a challenging work. To overcome this obstacle, StateDroid abstracts the semantics of Android APIs and attacks as Horn clauses, and then it automatically constructs the two-layer FSM model via Horn-clause verification. We have developed an open-source prototype of StateDroid and evaluated it extensively with ground truth dataset, 1, 505 Google Play apps, and 1, 369 malicious apps, respectively. The encouraging experimental results demonstrate the efficacy of StateDroid. Our study shows stealthy attacks have been quite common among new-generation malware such as notorious ransomware, and we even identify 7.5% of recent Google Play apps exhibit unexpected stealthy behaviors.
【Keywords】: Android Malware Analysis; Finite State Machine; Formal Reasoning; Horn-Clause Verification; Stateful Detection; Stealthy Attacks in Android Apps
【Paper Link】 【Pages】:210-221
【Authors】: Joey Allen ; Matthew Landen ; Sanya Chaba ; Yang Ji ; Simon Pak Ho Chung ; Wenke Lee
【Abstract】: In Android malware detection, recent work has shown that using contextual information of sensitive API invocation in the modeling of applications is able to improve the classification accuracy. However, the improvement brought by this context-awareness varies depending on how this information is used in the modeling. In this paper, we perform a comprehensive study on the effectiveness of using the contextual information in prior state-of-the-art detection systems. We find that this information has been "over-used" such that a large amount of non-essential metadata built into the models weakens the generalizability and longevity of the model, thus finally affects the detection accuracy. On the other hand, we find that the entrypoint of API invocation has the strongest impact on the classification correctness, which can further improve the accuracy if being properly captured. Based on this finding, we design and implement a lightweight, circumstance-aware detection system, named "PIKADROID" that only uses the API invocation and its entrypoint in the modeling. For extracting the meaningful entrypoints, PIKADROID applies a set of static analysis techniques to extract and sanitize the reachable entrypoints of a sensitive API, then constructs a frequency model for classification decision. In the evaluation, we show that this slim model significantly improves the detection accuracy on a data set of 23,631 applications by achieving an f-score of 97.41%, while maintaining a false positive rating of 0.96%.
【Keywords】: Android Security; Malware detection
【Paper Link】 【Pages】:222-235
【Authors】: Dominik Wermke ; Nicolas Huaman ; Yasemin Acar ; Bradley Reaves ; Patrick Traynor ; Sascha Fahl
【Abstract】: Android applications are frequently plagiarized or repackaged, and software obfuscation is a recommended protection against these practices. However, there is very little data on the overall rates of app obfuscation, the techniques used, or factors that lead to developers to choose to obfuscate their apps. In this paper, we present the first comprehensive analysis of the use of and challenges to software obfuscation in Android applications. We analyzed 1.7 million free Android apps from Google Play to detect various obfuscation techniques, finding that only 24.92% of apps are obfuscated by the developer. To better understand this rate of obfuscation, we surveyed 308 Google Play developers about their experiences and attitudes about obfuscation. We found that while developers feel that apps in general are at risk of plagiarism, they do not fear theft of their own apps. Developers also report difficulties obfuscating their own apps. To better understand, we conducted a follow-up study where the vast majority of 70 participants failed to obfuscate a realistic sample app even while many mistakenly believed they had been successful. These findings have broad implications both for improving the security of Android apps and for all tools that aim to help developers write more secure software.
【Keywords】: Android; Obfuscation; User Study
【Paper Link】 【Pages】:236-251
【Authors】: Sze Yiu Chau ; Bincheng Wang ; Jianxiong Wang ; Omar Chowdhury ; Aniket Kate ; Ninghui Li
【Abstract】: Mobile devices are becoming the default platform for multimedia content consumption. Such a thriving business ecosystem has drawn interests from content distributors to develop apps that can reach a large number of audience. The business-edge of content delivery apps crucially relies on being able to effectively arbitrate the purchase and delivery of contents, and govern the access of contents with respect to usage control policies, on a plethora of consumer devices. Content protection on mobile platforms, especially in the absence of Trusted Execution Environment (TEE), is a challenging endeavor where developers often have to resort to ad-hoc deterrence-based defenses. This work evaluates the effectiveness of content protection mechanisms embraced by vendors of content delivery apps, with respect to a hierarchy of adversaries with varying real-world capabilities. Our analysis of 141 vulnerable apps uncovered that, in many cases, due to developers' unjustified trust assumptions about the underlying technologies, adversaries can obtain unauthorized and unrestricted access to contents of apps, sometimes without even needing to reverse engineer the deterrence-based defenses. Some weaknesses in the apps can also severely impact app users' security and privacy. All our findings have been responsibly disclosed to the corresponding app vendors.
【Keywords】:
【Paper Link】 【Pages】:252-265
【Authors】: Akshaya Mani ; Tavish Vaidya ; David Dworken ; Micah Sherr
【Abstract】: Open proxies forward traffic on behalf of any Internet user. Listed on open proxy aggregator sites, they are often used to bypass geographic region restrictions or circumvent censorship. Open proxies sometimes also provide a weak form of anonymity by concealing the requestor's IP address. To better understand their behavior and performance, we conducted a comprehensive study of open proxies, encompassing more than 107,000 listed open proxies and 13M proxy requests over a 50 day period. While previous studies have focused on malicious open proxies' manipulation of HTML content to insert/modify ads, we provide a more broad study that examines the availability, success rates, diversity, and also (mis)behavior of proxies. Our results show that listed open proxies suffer poor availability---more than 92% of open proxies that appear on aggregator sites are unresponsive to proxy requests. Much more troubling, we find numerous examples of malicious open proxies in which HTML content is manipulated to mine cryptocurrency (that is, cryptojacking). We additionally detect TLS man-in-the-middle (MitM) attacks, and discover numerous instances in which binaries fetched through proxies were modified to include remote access trojans and other forms of malware. As a point of comparison, we conduct and discuss a similar measurement study of the behavior of Tor exit relays. We find no instances in which Tor relays performed TLS MitM or manipulated content, suggesting that Tor offers a far more reliable and safe form of proxied communication.
【Keywords】: Anonymity; Internet Proxies
【Paper Link】 【Pages】:266-277
【Authors】: Sivaramakrishnan Ramanathan ; Jelena Mirkovic ; Minlan Yu ; Ying Zhang
【Abstract】: Volumetric distributed denial-of-service (DDoS) attacks can bring any network to a halt. Because of their distributed nature and high volume, the victim often cannot handle these attacks alone and needs help from upstream ISPs. Today's Internet has no automated mechanism for victims to ask ISPs for help in attack handling and ISPs themselves do not offer such services. We propose SENSS, a security service for collaborative mitigation of volumetric DDoS attacks. SENSS enables the victim of an attack to request attack monitoring and filtering on demand, and to pay for the services rendered. Requests can be sent both to the immediate and to remote ISPs, in an automated and secure manner, and can be authenticated by these ISPs, without having prior trust with the victim. Simple and generic SENSS APIs enable victims to build custom detection and mitigation approaches against a variety of DDoS attacks. SENSS is deployable with today's infrastructure, and it has strong economic incentives both for ISPs and for the attack victims. It is also very effective in sparse deployment, offering full protection to direct customers of early adopters, and considerable protection to remote victims when deployed strategically. Deployment on the largest 1% of ISPs protects not just direct customers of these ISPs, but everyone on the Internet, from 90% of volumetric DDoS attacks.
【Keywords】: DDoS defense; IP spoofing; collaborative defense; traffic filtering
【Paper Link】 【Pages】:278-288
【Authors】: Jaejong Baek ; Sukwha Kyung ; Haehyun Cho ; Ziming Zhao ; Yan Shoshitaishvili ; Adam Doupé ; Gail-Joon Ahn
【Abstract】: Wi-Fi Calling, which is used to make and receive calls over the Wi-Fi network, has been widely adopted and deployed to extend the coverage and increase the capacity in weak signal areas by moving traffic from LTE to Wi-Fi networks. However, the security of Wi-Fi Calling mechanism has not been fully analyzed, and Wi-Fi Calling may inherently have greater security risks than conventional LTE calling. To provide secure connections with confidentiality and integrity, Wi-Fi Calling leverages the IETF protocols IKEv2 and IPSec. In this paper, we analyze the security of Wi-Fi Calling specifications and discover several vulnerabilities that allow an adversary to track the location of users and perform DoS attacks. By setting up a rogue access point in live testbed environment, we observe that user devices can leak the International Mobile Subscriber Identity (IMSI), despite it being encrypted. The leaked information can be further exploited for tracking user locations. We also discuss how these protocols are vulnerable to several denial of service attacks. To protect user privacy and services against these attacks, we propose practical countermeasures. We also present trade-off considerations that pose challenges for us to apply countermeasures to mitigate the existing vulnerabilities. Additionally, we propose to introduce corresponding amendments for future specifications of protocols to address these trade-offs.
【Keywords】: DoS; IMSI; IPSec; Impersonation Attack; Privacy; Wi-Fi Calling
【Paper Link】 【Pages】:289-299
【Authors】: Erik Sy ; Christian Burkert ; Hannes Federrath ; Mathias Fischer
【Abstract】: User tracking on the Internet can come in various forms, e.g., via cookies or by fingerprinting web browsers. A technique that got less attention so far is user tracking based on TLS and specifically based on the TLS session resumption mechanism. To the best of our knowledge, we are the first that investigate the applicability of TLS session resumption for user tracking. For that, we evaluated the configuration of 48 popular browsers and one million of the most popular websites. Moreover, we present a so-called prolongation attack, which allows extending the tracking period beyond the lifetime of the session resumption mechanism. To show that under the observed browser configurations tracking via TLS session resumptions is feasible, we also looked into DNS data to understand the longest consecutive tracking period for a user by a particular website. Our results indicate that with the standard setting of the session resumption lifetime in many current browsers, the average user can be tracked for up to eight days. With a session resumption lifetime of seven days, as recommended upper limit in the draft for TLS version 1.3, 65% of all users in our dataset can be tracked permanently.
【Keywords】: Browser Measurement; PSK Identity; Session IDs; Session Tickets; Tracking Period
【Paper Link】 【Pages】:300-312
【Authors】: Behrad Garmany ; Martin Stoffel ; Robert Gawlik ; Philipp Koppe ; Tim Blazytko ; Thorsten Holz
【Abstract】: The growing dependence on software and the increasing complexity of such systems builds and feeds the attack surface for exploitable vulnerabilities. Security researchers put up a lot of effort to develop exploits and analyze existing exploits with the goal of staying ahead of the state-of-the-art in attacks and defenses. The urge for automated systems that operate at scale, speed and efficiency is therefore undeniable. Given their complexity and large user base, web browsers pose an attractive target. Due to various mitigation strategies, the exploitation of a browser vulnerability became a time consuming, multi-step task: creating a working exploit even from a crashing input is a resource-intensive task that can take a substantial amount of time to complete. In many cases, the input, which triggers a vulnerability follows a crashing path but does not enter an exploitable state. In this paper, we introduce novel methods to significantly improve and partially automate the development process for browser exploits. Our approach is based on the observation that an analyst typically performs certain manual analysis steps that can be automated. This serves the purpose to propagate the bug-induced, controlled data to a specific program location to carry out a desired action. These actions include achieving write-what-where or control over the instruction pointer primitives. These are useful to extend control over the target program and are necessities towards successful code execution, the ultimate goal of the adversary. We implemented a prototype of our approach called PrimGen. For a given browser vulnerability, it is capable of automatically crafting data objects that lead the execution to a desired action. We show in our evaluation that our approach is able to generate new and previously unknown exploitation opportunities for real-world vulnerabilities in Mozilla Firefox, Internet Explorer, and Google Chrome. Using small templates, PrimGen generates inputs that conducts specific primitives. In total, PrimGen has found 48 JavaScript inputs which conduct the desired primitives when fed into the target browsers.
【Keywords】:
【Paper Link】 【Pages】:313-326
【Authors】: Juan D. Parra Rodriguez ; Joachim Posegga
【Abstract】: Direct access to the system's resources such as the GPU, persistent storage and networking has enabled in-browser crypto-mining. Thus, there has been a massive response by rogue actors who abuse browsers for mining without the user's consent. This trend has grown steadily for the last months until this practice, i.e., CryptoJacking, has been acknowledged as the number one security threat by several antivirus companies. Considering this, and the fact that these attacks do not behave as JavaScript malware or other Web attacks, we propose and evaluate several approaches to detect in-browser mining. To this end, we collect information from the top 330.500 Alexa sites. Mainly, we used real-life browsers to visit sites while monitoring resourcerelated API calls and the browser's resource consumption, e.g., CPU. Our detection mechanisms are based on dynamic monitoring, so they are resistant to JavaScript obfuscation. Furthermore, our detection techniques can generalize well and classify previously unseen samples with up to 99.99% precision and recall for the benign class and up to 96% precision and recall for the mining class. These results demonstrate the applicability of detection mechanisms as a server-side approach, e.g., to support the enhancement of existing blacklists. Last but not least, we evaluated the feasibility of deploying prototypical implementations of some detection mechanisms directly on the browser. Specifically, we measured the impact of in-browser API monitoring on page-loading time and performed micro-benchmarks for the execution of some classifiers directly within the browser. In this regard, we ascertain that, even though there are engineering challenges to overcome, it is feasible and bene!cial for users to bring the mining detection to the browser.
【Keywords】: Browser Abuse; CryptoJacking; HTML5; Web Security
【Paper Link】 【Pages】:327-341
【Authors】: Yixiao Xu ; Tao Wang ; Qi Li ; Qingyuan Gong ; Yang Chen ; Yong Jiang
【Abstract】: In a Website Fingerprinting (WF) attack, a local, passive eavesdropper utilizes network flow information to identify which web pages a user is browsing. Previous researchers have extensively demonstrated the feasibility and effectiveness of WF, but only under the strong Single Page Assumption: the network flow extracted by the adversary always belongs to a single page. In other words, the WF classifier will never be asked to classify a network flow corresponding to more than one page, or part of a page. The Single Page Assumption is unrealistic because people often browse with multiple tabs. When this happens, the network flow induced by multiple tabs will overlap, and current WF attacks fail to classify correctly. Our work demonstrates the feasibility of WF with the relaxed Single Page Assumption: we can attack a client who visits more than one pages simultaneously. We propose a multi-tab website fingerprinting attack that can accurately classify multi-tab web pages if they are requested and sequentially loaded over a short period of time. In particular, we develop a new BalanceCascade-XGBoost scheme for an attacker to identify the start point of the second page such that the attacker can accurately classify and identify these multi-tab pages. By developing a new classifier, we only use a small chunk of packets, i.e., packets between the first page's start time to the second page's start time, to fingerprint website. Our experiments demonstrate that in the multi-tab scenario, WF attacks are still practically effective. We have an average TPR of 92.58% on SSH, and we can also averagely identify the page with a TPR of 64.94% on Tor. Specially, compared with previous WF classifiers, our attack achieves a significantly higher true positive rate using a restricted chunk of packets.
【Keywords】: Machine learning; Website fingerprinting attack
【Paper Link】 【Pages】:342-354
【Authors】: Steven Van Acker ; Daniel Hausknecht ; Andrei Sabelfeld
【Abstract】: Defending a web application from attackers requires the correct configuration of several web security mechanisms for each and every web page in that web application. This configuration process can be difficult and result in gaps in the defense against web attackers because some web pages may be overlooked. In this work we provide a first evaluation of the standard draft for an origin-wide security configuration mechanism called the "origin manifest". The mechanism raises the security level of an entire web origin at once while still allowing the specification of web security policies at the web page level. We create prototype implementations of the origin manifest mechanism for both the client-side and server-side, and provide security officers with an automated origin manifest learner and generator to aid them with the configuration of their web origins. To resolve potential collisions of policies defined by the web origin with policies defined by web pages we formalize the comparison and combination of web security policies and integrate it into our prototype implementation. We evaluate the feasibility of the origin manifest mechanism with a longitudinal study of popular websites to determine whether origin manifest files are stable enough to not require frequent reconfiguration, and perform performance measurements on the Alexa top 10,000 to determine the network traffic overhead. Our results show that the origin manifest mechanism can effectively raise the security level of a web origin while slightly improving network performance.
【Keywords】:
【Paper Link】 【Pages】:355-370
【Authors】: Jan Henrik Ziegeldorf ; Jan Metzke ; Klaus Wehrle
【Abstract】: Machine learning classification has enabled many innovative services, e.g., in medicine, biometrics, and finance. Current practices of sharing sensitive input data or classification models, however, causes privacy concerns among the users and business risk among the providers. In this work, we resolve the conflict between privacy and business interests using Secure Two-Party Computation. Concretely, we propose SHIELD, a framework for efficient, and accurate machine learning classification with security in the semi-honest model. Building on SHIELD, we realize several widely used classifiers and real-world use cases that compare favorably against related work. Departing definitively from prior works, all of SHIELD's protocols are designed from the ground up to enable secure outsourcing to untrusted computation clouds enabling even constrained devices to handle our most complex use cases in (milli)seconds.
【Keywords】:
【Paper Link】 【Pages】:371-380
【Authors】: Manish Kesarwani ; Bhaskar Mukhoty ; Vijay Arya ; Sameep Mehta
【Abstract】: Machine learning models deployed on the cloud are susceptible to several security threats including extraction attacks. Adversaries may abuse a model's prediction API to steal the model thus compromising model confidentiality, privacy of training data, and revenue from future query payments. This work introduces a model extraction monitor that quantifies the extraction status of models by continually observing the API query and response streams of users. We present two novel strategies that measure either the information gain or the coverage of the feature space spanned by user queries to estimate the learning rate of individual and colluding adversaries. Both approaches have low computational overhead and can easily be offered as services to model owners to warn them against state of the art extraction attacks. We demonstrate empirical performance results of these approaches for decision tree and neural network models using open source datasets and BigML MLaaS platform.
【Keywords】:
【Paper Link】 【Pages】:381-392
【Authors】: Minghong Fang ; Guolei Yang ; Neil Zhenqiang Gong ; Jia Liu
【Abstract】: Recommender system is an important component of many web services to help users locate items that match their interests. Several studies showed that recommender systems are vulnerable to poisoning attacks, in which an attacker injects fake data to a recommender system such that the system makes recommendations as the attacker desires. However, these poisoning attacks are either agnostic to recommendation algorithms or optimized to recommender systems (e.g., association-rule-based or matrix-factorization-based recommender systems) that are not graph-based. Like association-rule-based and matrix-factorization-based recommender systems, graph-based recommender system is also deployed in practice, e.g., eBay, Huawei App Store (a big app store in China). However, how to design optimized poisoning attacks for graph-based recommender systems is still an open problem. In this work, we perform a systematic study on poisoning attacks to graph-based recommender systems. We consider an attacker's goal is to promote a target item to be recommended to as many users as possible. To achieve this goal, our a"acks inject fake users with carefully crafted rating scores to the recommender system. Due to limited resources and to avoid detection, we assume the number of fake users that can be injected into the system is bounded. The key challenge is how to assign rating scores to the fake users such that the target item is recommended to as many normal users as possible. To address the challenge, we formulate the poisoning attacks as an optimization problem, solving which determines the rating scores for the fake users. We also propose techniques to solve the optimization problem. We evaluate our attacks and compare them with existing attacks under white-box (recommendation algorithm and its parameters are known), gray-box (recommendation algorithm is known but its parameters are unknown), and blackbox (recommendation algorithm is unknown) settings using two real-world datasets. Our results show that our attack is effective and outperforms existing attacks for graph-based recommender systems. For instance, when 1% of users are injected fake users, our attack can make a target item recommended to 580 times more normal users in certain scenarios.
【Keywords】: Adversarial recommender systems; adversarial machine learning; poisoning attacks
【Paper Link】 【Pages】:393-406
【Authors】: Lingxiao Wei ; Bo Luo ; Yu Li ; Yannan Liu ; Qiang Xu
【Abstract】: Deep learning has become the de-facto computational paradigm for various kinds of perception problems, including many privacy-sensitive applications such as online medical image analysis. No doubt to say, the data privacy of these deep learning systems is a serious concern. Different from previous research focusing on exploiting privacy leakage from deep learning models, in this paper, we present the first attack on the implementation of deep learning models. To be specific, we perform the attack on an FPGA-based convolutional neural network accelerator and we manage to recover the input image from the collected power traces without knowing the detailed parameters in the neural network. For the MNIST dataset, our power side-channel attack is able to achieve up to 89% recognition accuracy.
【Keywords】: Power side-channel attack; convolutional neural accelerators; privacy leakage
【Paper Link】 【Pages】:407-417
【Authors】: Sergej Proskurin ; Tamas K. Lengyel ; Marius Momeu ; Claudia Eckert ; Apostolis Zarras
【Abstract】: ARM has become the leading processor architecture for mobile and IoT devices, while it has recently started claiming a bigger slice of the server market pie as well. As such, it will not be long before malware more regularly target the ARM architecture. Therefore, the stealthy operation of Virtual Machine Introspection (VMI) is an obligation to successfully analyze and proactively mitigate this growing threat. Stealthy VMI has proven itself perfectly suitable for malware analysis on Intel's architecture, yet, it often lacks the foundation required to be equally effective on ARM.
【Keywords】:
【Paper Link】 【Pages】:418-429
【Authors】: Xin Lin ; Lingguang Lei ; Yuewu Wang ; Jiwu Jing ; Kun Sun ; Quan Zhou
【Abstract】: Linux container mechanism has attracted a lot of attention and is increasingly utilized to deploy industry applications. Though it is a consensus that the container mechanism is not secure due to the kernel-sharing property, it lacks a concrete and systematical evaluation on its security using real world exploits. In this paper, we collect an attack dataset including 223 exploits that are effective on the container platform, and classify them into different categories using a two-dimensional attack taxonomy. Then we evaluate the security of existing Linux container mechanism using 88 typical exploits filtered out from the dataset. We find 50 (56.82%) exploits can successfully launch attacks from inside the container with the default configuration. Since the privilege escalation exploits can completely disable the container protection mechanism, we conduct an in-depth analysis on these exploits. We find the kernel security mechanisms such as Capability, Seccomp, and MAC play a more important role in preventing privilege escalation than the container isolation mechanisms (i.e., Namespace and Cgroup). However, the interdependence and mutual-influence relationship among these kernel security mechanisms may make them fall into the "short board effect" and impair their protection capability. By studying the 11 exploits that still can successfully break the isolation provided by container and achieve privilege escalation, we identify a common 4-step attack model followed by all 11 exploits. Finally, we propose a defense mechanism to effectively defeat those identified privilege escalation attacks.
【Keywords】: Container; Kernel Security Mechanisms; Privilege Escalation
【Paper Link】 【Pages】:430-440
【Authors】: Shota Futagami ; Tomoya Unoki ; Kenichi Kourai
【Abstract】: Infrastructure-as-a-Service clouds provide out-of-band remote management for users to access their virtual machines (VMs). Out-of-band remote management is a method for indirectly accessing VMs via their virtual devices. While virtual devices running in the virtualized system are managed by cloud operators, not all cloud operators are always trusted in clouds. To prevent information leakage from virtual devices and tampering with their I/O data, several systems have been proposed by trusting the hypervisor in the virtualized system. However, they have various issues on security and management. This paper proposes VSBypass, which enables secure out-of-band remote management outside the virtualized system using a technique called transparent passthrough. VSBypass runs the entire virtualized system in an outer VM using nested virtualization. Then it intercepts I/O requests of out-of-band remote management and processes those requests in shadow devices, which run outside the virtualized system. We have implemented VSBypass in Xen for the virtual serial console and GUI remote access. We confirmed that information leakage was prevented and that the performance was comparable to that in traditional out-of-band remote management.
【Keywords】: Information leakage; Nested virtualization; Remote management; Virtual machines; Virtualized systems
【Paper Link】 【Pages】:441-452
【Authors】: Haehyun Cho ; Penghui Zhang ; Donguk Kim ; Jinbum Park ; Choong-Hoon Lee ; Ziming Zhao ; Adam Doupé ; Gail-Joon Ahn
【Abstract】: The security of ARM TrustZone relies on the idea of splitting system-on-chip hardware and software into two worlds, namely normal world and secure world. In this paper, we report cross-world covert channels, which exploit the world-shared cache in the TrustZone architecture. We design a Prime+Count technique that only cares about how many cache sets or lines have been occupied. The coarser-grained approach significantly reduces the noise introduced by the pseudo-random replacement policy and world switching. Using our Prime+Count technique, we build covert channels in single-core and cross-core scenarios in the TrustZone architecture. Our results demonstrate that Prime+Count is an effective technique for enabling cross-world covert channels on ARM TrustZone.
【Keywords】: ARM TrustZone; Cache side-channel; Covert channels
【Paper Link】 【Pages】:453-466
【Authors】: Adam J. Aviv ; Flynn Wolf ; Ravi Kuber
【Abstract】: We analyze the claims that video recreations of shoulder surfing attacks offer a suitable alternative and a baseline, as compared to evaluation in a live setting. We recreated a subset of the factors of a prior video-simulation experiment conducted by Aviv et al. (ACSAC 2017), and model the same scenario using live participants (n = 36) instead (i.e., the victim and attacker were both present). The live experiment confirmed that for Android's graphical patterns video simulation is consistent with the live setting for attacker success rates. However, both 4- and 6-digit PINs demonstrate statistically significant differences in attacker performance, with live attackers performing as much 1.9x better than in the video simulation. The security benefits gained from removing feedback lines in Android's graphical patterns are also greatly diminished in the live setting, particularly under multiple attacker observations, but overall, the data suggests that video recreations can provide a suitable baseline measure for attacker success rate. However, we caution that researchers should consider that these baselines may greatly underestimate the threat of an attacker in live settings.
【Keywords】: Mobile Authentication; Shoulder Surfing
【Paper Link】 【Pages】:467-477
【Authors】: Ajaya Neupane ; Kiavash Satvat ; Nitesh Saxena ; Despina Stavrinos ; Haley Johnson Bishop
【Abstract】: Social engineering is a well-established and well-studied threat especially against healthy computer users. Little studied, however, is the level of vulnerability to social engineering attacks against people with medical conditions. Social disorders in particular may make people more susceptible to such attacks. In this paper, as an initial line of investigation into this understudied research line, we launch a study of phishing, a prominent social engineering attack, against people suffering from autism spectrum disorder, a unique developmental disorder characterized by hampered social skills and communication. We present a study of phishing detection with two groups of participants each with 15 participants, one diagnosed with autism and other without autism, in which they were asked to distinguish real versions of certain websites from their fake counterparts. Given the known gullibility and social vulnerability of users with autism, our study is designed to test the hypothesis that individuals with autism will be more prone to such attacks in contrast to healthy participants of prior studies. Our results, however, do not support this hypothesis demonstrating that participants with autism are not more vulnerable to phishing attempts. We attribute this result to the unique characteristics of users with autism including attention to detail, strong memory of factual information and diverse way of thinking, which are skills that folklore assumes may actually make users with autism highly qualifed for cybersecurity careers. Overall, our work serves to demonstrate that targeted (spear) phishing attacks against Internet users sufering from autism may not be more successful compared to untargeted attacks against the user population without autism. It also highlights that social disorders may not necessarily facilitate social engineering attacks.
【Keywords】:
【Paper Link】 【Pages】:478-489
【Authors】: Oliver Wiese ; Christoph Weinhold ; Jan-Ole Malchow ; Volker Roth
【Abstract】: Sharing encryption keys secretly can be useful to protect the availability and confidentiality of redundant encrypted backups. Key shares may be distributed and managed conveniently online, or offline with security benefits. We carried out a field study in order to learn how practical secret sharing is in the offline case using two form factors as carriers of share information: paper printouts and key tags. Our findings suggest that offline sharing is practical but slow. The form factor did not have a significant effect on retrieval success. Perhaps other parameters may be optimized instead such as convenience and costs of share production. We used k = 3, n = 5 as the secret sharing parameters in our study. This appears to suffice in many cases but we also found that increasing n and k is recommendable in practice because the safety and security margin was thin in our study.
【Keywords】: Secret Sharing; Security
【Paper Link】 【Pages】:490-504
【Authors】: Sadegh Farhang ; Jake Weidman ; Mohammad Mahdi Kamani ; Jens Grossklags ; Peng Liu
【Abstract】: Software upgrades play a pivotal role in enhancing software performance, and are a critical component of resolving software bugs and patching security issues. However, consumers' eagerness to upgrade to the newest operating system is often tempered after release. In this paper, we focus on the upgrade perceptions and practices of users utilizing Microsoft Windows, with particular consideration given to the current upgrade cycle to Windows 10, which was, for a time, offered at no monetary cost to many users. To better understand the relevant factors for upgrade decisions, we deployed a structured survey, including several open-ended questions to add additional depth. We collected data from 239 Microsoft Windows users and utilized qualitative and quantitative methods to analyze user upgrade practices. Important themes include how to best notify users of upcoming upgrade opportunities, how users perceive privacy issues associated with OS upgrade decisions, and whether security constitutes a significant decision-making factor. We also explore how end-of-life dates, indicating the end of support by the vendor, are perceived by users.
【Keywords】: Interdisciplinary Research; Operating System Upgrades; Privacy; Security; Survey Study
【Paper Link】 【Pages】:505-517
【Authors】: Vivek Jain ; Sanjay Rawat ; Cristiano Giuffrida ; Herbert Bos
【Abstract】: Developers commonly use fuzzing techniques to hunt down all manner of memory corruption vulnerabilities during the testing phase. Irrespective of the fuzzer, input mutation plays a central role in providing adequate code coverage, as well as in triggering bugs. However, each class of memory corruption bugs requires a different trigger condition. While the goal of a fuzzer is to find bugs, most existing fuzzers merely approximate this goal by targeting their mutation strategies toward maximizing code coverage. In this work, we present a new mutation strategy that maximizes the likelihood of triggering memory-corruption bugs by generating fewer, but better inputs. In particular, our strategy achieves bug-directed mutation by inferring the type of the input bytes. To do so, it tags each offset of the input with a basic type (e.g., 32-bit integer, string, array etc.), while deriving mutation rules for specific classes of bugs. We infer types by means of in-memory data-structure identification and dynamic taint analysis, and implement our novel mutation strategy in a fully functional fuzzer which we call TIFF (Type Inference-based Fuzzing Framework). Our evaluation on real-world applications shows that type-based fuzzing triggers bugs much earlier than existing solutions, while maintaining high code coverage. For example, on several real-world applications and libraries (e.g., poppler, mpg123 etc.), we find real bugs (with known CVEs) in almost half of the time and upto an order of magnitude fewer inputs than state-of-the-art fuzzers.
【Keywords】: Fuzzing; Taint-flow analysis; data-structure Identification; security; type inference; vulnerability/bug detection
【Paper Link】 【Pages】:518-528
【Authors】: Chengbin Pang ; Yunlan Du ; Bing Mao ; Shanqing Guo
【Abstract】: The features of modularity and inheritance in C++ facilitate the developers' usage, but also give rise to the problem of type confusion. As an ancestor class may have a different data layout from its descendant class, a dangerous downcasting operation from the ancestor to its descendant can lead to a critical attack, such as control flow hijacking, out-of-bounds access to neighbor memory area, etc. As reported in CVE, such vulnerabilities have been found in various common-used software, including Google Chrome, Firefox and Adobe Flash Player, and have a trend of increase in recent years. The urgency of addressing type confusion problems quickens the pace of researchers coming to corresponding solutions. However, the existing works either handle the problem partially, or suffer from the high performance and memory overhead, especially to the large-scale projects. We present Bitype to check the validity explicitly when a type is downcasting to another, maintaining high coverage and reducing overhead and compilation time massively. The core of our design is a Safe Encoding Scheme, which encodes all of the classes by mapping them to bits. With this scheme, Bitype treats the classes and their safe convertible classes as codes and verifies typecastings in an xor operation, both decreasing the performance overhead of check and the memory overhead. Besides, we implement a Clang Tool to avoid the repeated collection of inheritance relationships and deploy a two-level lookup table to trace objects efficiently. Evaluated on SPEC CPU2006 benchmarks and Firefox browser, Bitype shows a slightly higher coverage of typecasting compared to the state-of-the-art HexType[22], but reduces the performance overhead by 2 to 16 times, the memory overhead by 2 to 3 times, the compilation time by 21 to 223 times. As a result, our solution is a practical and efficient typecasting checker for commodity software.
【Keywords】: Downcasting; Safe Encoding Scheme; Type confusion; Typecasting
【Paper Link】 【Pages】:529-541
【Authors】: Changming Liu ; Deqing Zou ; Peng Luo ; Bin B. Zhu ; Hai Jin
【Abstract】: With a growing demand of concurrent software to exploit multi-core hardware capability, concurrency vulnerabilities have become an inevitable threat to the security of today's IT industry. Existing concurrent program detection schemes focus mainly on detecting concurrency errors such as data races, atomicity violation, etc., with little attention paid to detect concurrency vulnerabilities that may be exploited to infringe security. In this paper, we propose a heuristic framework that combines both static analysis and fuzz testing to detect targeted concurrency vulnerabilities such as concurrency buffer overflow, double free, and use-after-free. The static analysis locates sensitive concurrent operations in a concurrent program, categorizes each finding into a potential type of concurrency vulnerability, and determines the execution order of the sensitive operations in each finding that would trigger the suspected concurrency vulnerability. The results are then plugged into the fuzzer with the execution order fixed by the static analysis in order to trigger the suspected concurrency vulnerabilities. In order to introduce more variance which increases possibility that the concurrency errors can be triggered, we also propose manipulation of thread scheduling priority to enable a fuzzer such as AFL to effectively explore thread interleavings in testing a concurrent program. To the best of our knowledge, this is the first fuzzer that is capable of effectively exploring concurrency errors. In evaluating the proposed heuristic framework with a benchmark suit of six real-world concurrent C programs, the framework detected two concurrency vulnerabilities for the proposed concurrency vulnerability detection, both being confirmed to be true positives, and produced three new crashes for the proposed interleaving exploring fuzzer that existing fuzzers could not produce. These results demonstrate the power and effectiveness of the proposed heuristic framework in detecting concurrency errors and vulnerabilities.
【Keywords】: Concurrency Vulnerabilities; Fuzzing Test; Thread Schedule
【Paper Link】 【Pages】:542-552
【Authors】: Yanfang Ye ; Shifu Hou ; Lingwei Chen ; Xin Li ; Liang Zhao ; Shouhuai Xu ; Jiabin Wang ; Qi Xiong
【Abstract】: As the popularity of modern social coding paradigm such as Stack Overflow grows, its potential security risks increase as well (e.g., insecure codes could be easily embedded and distributed). To address this largely overlooked issue, in this paper, we bring an important new insight to exploit social coding properties in addition to code content for automatic detection of insecure code snippets in Stack Overflow. To determine if the given code snippets are insecure, we not only analyze the code content, but also utilize various kinds of relations among users, badges, questions, answers, code snippets and keywords in Stack Overflow. To model the rich semantic relationships, we first introduce a structured heterogeneous information network (HIN) for representation and then use meta-path based approach to incorporate higher-level semantics to build up relatedness over code snippets. Later, we propose a novel network embedding model named snippet2vec for representation learning in HIN where both the HIN structures and semantics are maximally preserved. After that, a multi-view fusion classifier is constructed for insecure code snippet detection. To the best of our knowledge, this is the first work utilizing both code content and social coding properties to address the code security issues in modern software coding platforms. Comprehensive experiments on the data collections from Stack Overflow are conducted to validate the effectiveness of the developed system ICSD which integrates our proposed method in insecure code snippet detection by comparisons with alternative approaches.
【Keywords】: Code Security; Heterogeneous Information Network; Multi-view Fusion; Network Representation Learning; Social Coding
【Paper Link】 【Pages】:553-565
【Authors】: Sriharsha Etigowni ; Shamina Hossain-McKenzie ; Maryam Kazerooni ; Katherine R. Davis ; Saman A. Zonouz
【Abstract】: Recent major attacks against unmanned aerial vehicles (UAV) and their controller software necessitate domain-specific cyber-physical security protection. Existing offline formal methods for (untrusted) controller code verification usually face state-explosion. On the other hand, runtime monitors for cyber-physical UAVs often lead to too-late notifications about unsafe states that makes timely safe operation recovery impossible. We present Crystal, a just-ahead-of-time control flow predictor and proactive recovery for UAVs. Crystal monitors the execution state of the flight controller and predicts the future control flows ahead of time-based on the UAV's physical dynamics. Crystal deploys the operator's countermeasures proactively in case of an upcoming unsafe state. Crystal's just-ahead-of-time model checking explores the future control flows in parallel ahead of the UAV's actual operation by some time margin. The introduced time margin enables Crystal to accommodate operator's feedback latency by the time the actual execution reaches to the identified unsafe state. Crystal periodically queries the controller's execution state. It emulates the UAV physical dynamical model and predicts future sensor measurements (controller inputs) and upcoming feasible controller's execution paths. This drives Crystal's model-checking exploration away from unreachable future states. Crystal's selective model checking saves computational time to stay ahead of execution by concentrating on relevant upcoming control flows only. This eliminates the state-explosion problem in traditional offline formal methods. We evaluated a multi-threaded prototype of Crystal between the control station server and the UAV. Crystal was able to predict upcoming hazardous states caused by the third-party controller program and proactively restored the safe states successfully with minimal overhead.
【Keywords】:
【Paper Link】 【Pages】:566-581
【Authors】: Chuadhry Mujeeb Ahmed ; Jianying Zhou ; Aditya P. Mathur
【Abstract】: A novel scheme is proposed to authenticate sensors and detect data integrity attacks in a Cyber Physical System (CPS). The proposed technique uses the hardware characteristics of a sensor and physics of a process to create unique patterns (herein termed as fingerprints) for each sensor. The sensor fingerprint is a function of sensor and process noise embedded in sensor measurements. Uniqueness in the noise appears due to manufacturing imperfections of a sensor and due to unique features of a physical process. To create a sensor's fingerprint a system-model based approach is used. A noise-based fingerprint is created during the normal operation of the system. It is shown that under data injection attacks on sensors, noise pattern deviations from the fingerprinted pattern enable the proposed scheme to detect attacks. Experiments are performed on a dataset from a real-world water treatment (SWaT) facility. A class of stealthy attacks is designed against the proposed scheme and extensive security analysis is carried out. Results show that a range of sensors can be uniquely identified with an accuracy as high as 98%. Extensive sensor identification experiments are carried out on a set of sensors in SWaT testbed. The proposed scheme is tested on a variety of attack scenarios from the reference literature which are detected with high accuracy
【Keywords】:
【Paper Link】 【Pages】:582-594
【Authors】: John Henry Castellanos ; Martín Ochoa ; Jianying Zhou
【Abstract】: In modern societies, critical services such as transportation, power supply, water treatment and distribution are strongly dependent on Industrial Control Systems (ICS). As technology moves along, new features improve services provided by such ICS. On the other hand, this progress also introduces new risks of cyber attacks due to the multiple direct and indirect dependencies between cyber and physical components of such systems. Performing rigorous security tests and risk analysis in these critical systems is thus a challenging task, because of the non-trivial interactions between digital and physical assets and the domain-specific knowledge necessary to analyse a particular system. In this work, we propose a methodology to model and analyse a System Under Test (SUT) as a data flow graph that highlights interactions among internal entities throughout the SUT. This model is automatically extracted from production code available in Programmable Logic Controllers (PLCs). We also propose a reachability algorithm and an attack diagram that will emphasize the dependencies between cyber and physical domains, thus enabling a human analyst to gauge various attack vectors that arise from subtle dependencies in data and information propagation. We test our methodology in a functional water treatment testbed and demonstrate how an analyst could make use of our designed attack diagrams to reason on possible threats to various targets of the SUT.
【Keywords】:
【Paper Link】 【Pages】:595-604
【Authors】: Robert Schilling ; Mario Werner ; Pascal Nasahl ; Stefan Mangard
【Abstract】: Reading and writing memory are, besides computation, the most common operations a processor performs. The correctness of these operations is therefore essential for the proper execution of any program. However, as soon as fault attacks are considered, assuming that the hardware performs its memory operations as instructed is not valid anymore. In particular, attackers may induce faults with the goal of reading or writing incorrectly addressed memory, which can have various critical safety and security implications. In this work, we present a solution to this problem and propose a new method for protecting every memory access inside a program against address tampering. The countermeasure comprises two building blocks. First, every pointer inside the program is redundantly encoded using a multiresidue error detection code. The redundancy information is stored in the unused upper bits of the pointer with zero overhead in terms of storage. Second, load and store instructions are extended to link data with the corresponding encoded address from the pointer. Wrong memory accesses subsequently infect the data value allowing the software to detect the error. For evaluation purposes, we implemented our countermeasure into a RISC-V processor, tested it on a FPGA development board, and evaluated the induced overhead. Furthermore, a LLVM-based C compiler has been modified to automatically encode all data pointers, to perform encoded pointer arithmetic, and to emit the extended load/store instructions with linking support. Our evaluations show that the countermeasure induces an average overhead of 10 % in terms of code size and 7 % regarding runtime, which makes it suitable for practical adoption.
【Keywords】:
【Paper Link】 【Pages】:605-617
【Authors】: Fei Wang ; Yonghwi Kwon ; Shiqing Ma ; Xiangyu Zhang ; Dongyan Xu
【Abstract】: With the continuing evolution of sophisticated APT attacks, provenance tracking is becoming an important technique for efficient attack investigation in enterprise networks. Most of existing provenance techniques are operating on system event auditing that discloses dependence relationships by scrutinizing syscall traces. Unfortunately, such auditing-based provenance is not able to track the causality of another important dimension in provenance, the shared libraries. Different from other data-only system entities like files and sockets, dynamic libraries are linked at runtime and may get executed, which poses new challenges in provenance tracking. For example, library provenance cannot be tracked by syscalls and mapping; whether a library function is called and how it is called within an execution context is invisible at syscall level; linking a library does not promise their execution at runtime. Addressing these challenges is critical to tracking sophisticated attacks leveraging libraries. In this paper, to facilitate fine-grained investigation inside the execution of library binaries, we develop Lprov, a novel provenance tracking system which combines library tracing and syscall tracing. Upon a syscall, Lprov identifies the library calls together with the stack which induces it so that the library execution provenance can be accurately revealed. Our evaluation shows that Lprov can precisely identify attack provenance involving libraries, including malicious library attack and library vulnerability exploitation, while syscall-based provenance tools fail to identify. It only incurs 7.0% (in geometric mean) runtime overhead and consumes 3 times less storage space of a state-of-the-art provenance tool.
【Keywords】:
【Paper Link】 【Pages】:618-628
【Authors】: Franck de Goër ; Sanjay Rawat ; Dennis Andriesse ; Herbert Bos ; Roland Groz
【Abstract】: Efficient detection and instrumentation of function calls is fundamental for a variety of dynamic analysis techniques, including dynamic callgraph construction, control-flow integrity, and automatic vulnerability discovery. A common way of detecting calls at the machine code level is to look for CALL instructions. However, optimizing compilers frequently implement function tail calls with JMP instructions instead, and distinguishing an intra-procedural jump from a JMP-based function call is not straightforward. Despite the importance of making this distinction, prior research has not produced a reliable solution. In this paper, we address the problem of dynamic function call detection in real-time. We propose a heuristic-based approach named iCi to efficiently and automatically instrument calls, including conventional CALLs and JMP-based calls, at runtime. iCi does not rely on source code, debug information, symbol tables or static analysis. We show that iCi achieves an f-score of 0.95 in the worst case, regardless of optimization level. We open-source our implementation as well as the oracle we used for our evaluation.1
【Keywords】:
【Paper Link】 【Pages】:629-640
【Authors】: Bumjin Im ; Ang Chen ; Dan S. Wallach
【Abstract】: Android adopted SELinux's mandatory access control (MAC) mechanisms in 2013. Since then, billions of Android devices have benefited from mandatory access control security policies. These policies are expressed in a variety of rules, maintained by Google and extended by Android OEMs. Over the years, the rules have grown to be quite complex, making it challenging to properly understand or configure these policies. In this paper, we perform a measurement study on the SEAndroid repository to understand the evolution of these policies. We propose a new metric to measure the complexity of the policy by expanding policy rules, with their abstraction features such as macros and groups, into primitive "boxes", which we then use to show that the complexity of the SEAndroid policies has been growing exponentially over time. By analyzing the Git commits, snapshot by snapshot, we are also able to analyze the "age" of policy rules, the trend of changes, and the contributor composition. We also look at hallmark events in Android's history, such as the "Stagefright" vulnerability in Android's media facilities, pointing out how these events led to changes in the MAC policies. The growing complexity of Android's mandatory policies suggests that we will eventually hit the limits of our ability to understand these policies, requiring new tools and techniques.
【Keywords】:
【Paper Link】 【Pages】:641-652
【Authors】: Md. Lutfor Rahman ; Ajaya Neupane ; Chengyu Song
【Abstract】: Access control is the core security mechanism of an operating system (OS). Ideally, the access control system should enforce context integrity, i.e., an application can only access security and privacy sensitive resources expected by users. Unfortunately, existing access control systems, including the permission systems in modern OS like iOS and Android, all fail to enforce context integrity thus allow apps to abuse their permissions. A naive approach to enforce context integrity is to prompt users every time a sensitive resource is accessed, but this will quickly lead to habituation. The state-of-art solutions include (1) user-driven access control, which binds a predefined context to protected GUI elements and (2) predicting users' authorization decision based on their previous behaviors and privacy preferences. However, previous studies have shown that the first approach is vulnerable to attacks (e.g., clickjacking) and the second approach i challenging to implement as it is difficult to infer the context. In this work, we explore the feasibility of a novel approach to enforce the context integrity---by inferring what task users want to do under the given context from their neural signals; then automatically authorizes access to a predefined set of sensitive resources that are necessary for that task. We conducted a comprehensive user study including 41 participants where we collected their neural signals when they were performing tasks that required access to sensitive resources. After preprocessing and features extraction, we trained machine learning classifier to infer what kind of tasks a user wants to perform. The experiment results show that the classifier was able to infer the high-level intents like take a photo with a weighted average precision of 88%.
【Keywords】:
【Paper Link】 【Pages】:653-663
【Authors】: Ivica Nikolic ; Aashish Kolluri ; Ilya Sergey ; Prateek Saxena ; Aquinas Hobor
【Abstract】: Smart contracts---stateful executable objects hosted on blockchains like Ethereum---carry billions of dollars worth of coins and cannot be updated once deployed. We present a new systematic characterization of a class of trace vulnerabilities, which result from analyzing multiple invocations of a contract over its lifetime. We focus attention on three example properties of such trace vulnerabilities: finding contracts that either lock funds indefinitely, leak them carelessly to arbitrary users, or can be killed by anyone. We implemented Maian, the first tool for specifying and reasoning about trace properties, which employs interprocedural symbolic analysis and concrete validator for exhibiting real exploits. Our analysis of nearly one million contracts flags 34, 200 (2, 365 distinct) contracts vulnerable, in 10 seconds per contract. On a subset of 3, 759 contracts which we sampled for concrete validation and manual analysis, we reproduce real exploits at a true positive rate of 89%, yielding exploits for 3, 686 contracts. Our tool finds exploits for the infamous Parity bug that indirectly locked $200 million US worth in Ether, which previous analyses failed to capture.
【Keywords】:
【Paper Link】 【Pages】:664-676
【Authors】: Christof Ferreira Torres ; Julian Schütte ; Radu State
【Abstract】: The capability of executing so-called smart contracts in a decentralised manner is one of the compelling features of modern blockchains. Smart contracts are fully fledged programs which cannot be changed once deployed to the blockchain. They typically implement the business logic of distributed apps and carry billions of dollars worth of coins. In that respect, it is imperative that smart contracts are correct and have no vulnerabilities or bugs. However, research has identified different classes of vulnerabilities in smart contracts, some of which led to prominent multi-million dollar fraud cases. In this paper we focus on vulnerabilities related to integer bugs, a class of bugs that is particularly difficult to avoid due to some characteristics of the Ethereum Virtual Machine and the Solidity programming language. In this paper we introduce Osiris -- a framework that combines symbolic execution and taint analysis, in order to accurately find integer bugs in Ethereum smart contracts. Osiris detects a greater range of bugs than existing tools, while providing a better specificity of its detection. We have evaluated its performance on a large experimental dataset containing more than 1.2 million smart contracts. We found that 42,108 contracts contain integer bugs. Besides being able to identify several vulnerabilities that have been reported in the past few months, we were also able to identify a yet unknown critical vulnerability in a couple of smart contracts that are currently deployed on the Ethereum blockchain.
【Keywords】:
【Paper Link】 【Pages】:677-691
【Authors】: Greubel Andre ; Dmitrienko Alexandra ; Kounev Samuel
【Abstract】: In the Tor anonymity network, the distribution of topology information relies on the correct behavior of five out of the nine trusted directory authority servers. This centralization is concerning since a powerful adversary might compromise these servers and conceal information about honest nodes, leading to the full de-anonymization of all Tor users. Our work aims at distributing the work of these trusted authorities, such increasing resilience against attacks on core infrastructure components of the Tor network. In particular, we leverage several emerging technologies, such as blockchains, smart contracts, and trusted execution environments to design and prototype a system called SmarTor. This system replaces the directory authorities with a smart contract and a distributed network of untrusted entities responsible for bandwidth measurements. We prototyped SmarTor using Ethereum smart contracts and Intel SGX secure hardware. In our evaluation, we show that SmarTor produces significantly more reliable and precise measurements compared to the current measurement system. Overall, our solution improves the decentralization of the Tor network, reduces trust assumptions and increases resilience against powerful adversaries like law enforcement and intelligence services.
【Keywords】:
【Paper Link】 【Pages】:692-701
【Authors】: Muoi Tran ; Loi Luu ; Min Suk Kang ; Iddo Bentov ; Prateek Saxena
【Abstract】: Bitcoin provides only pseudo-anonymous transactions, which can be exploited to link payers and payees -- defeating the goal of anonymous payments. To thwart such attacks, several Bitcoin mixers have been proposed, with the objective of providing unlinkability between payers and payees. However, existing Bitcoin mixers can be regarded as either insecure or inefficient. We present Obscuro, a highly efficient and secure Bitcoin mixer that utilizes trusted execution environments (TEEs). With the TEE's confidentiality and integrity guarantees for code and data, our mixer design ensures the correct mixing operations and the protection of sensitive data (i.e., private keys and mixing logs), ruling out coin theft and address linking attacks by a malicious service provider. Yet, the TEE-based implementation does not prevent the manipulation of inputs (e.g., deposit submissions, blockchain feeds) to the mixer, hence Obscuro is designed to overcome such limitations: it (1) offers an indirect deposit mechanism to prevent a malicious service provider from rejecting benign user deposits; and (2) scrutinizes blockchain feeds to prevent deposits from being mixed more than once (thus degrading anonymity) while being eclipsed from the main blockchain branch. In addition, Obscuro provides several unique anonymity features (e.g., minimum mixing set size guarantee, resistant to dropping user deposits) that are not available in existing centralized and decentralized mixers. Our prototype of Obscuro is built using Intel SGX and we demonstrate its effectiveness in Bitcoin Testnet. Our implementation mixes 1000 inputs in just 6.49 seconds, which vastly outperforms all of the existing decentralized mixers.
【Keywords】:
【Paper Link】 【Pages】:702-711
【Authors】: Andrea Continella ; Mario Polino ; Marcello Pogliani ; Stefano Zanero
【Abstract】: Cloud storage services are an efficient solution for a variety of use cases, allowing even non-skilled users to benefit from fast, reliable and easy-to-use storage. However, using public cloud services for storage comes with security and privacy concerns. In fact, managing access control at scale is often particularly hard, as the size and complexity rapidly increases, especially when the role of access policies is underestimated, resulting in dangerous misconfigurations. In this paper, we investigate the usage of Amazon S3, one of the most popular cloud storage services, focusing on automatically analyzing and discovering misconfigurations that affect security and privacy. We developed a tool that automatically performs security checks of S3 buckets, without storing nor exposing any sensitive data. This tool is intended for developers, end-users, enterprises, and any other organization that makes extensive use of S3 buckets. We validate our tool by performing the first comprehensive, large-scale analysis of 240,461 buckets, obtaining insights on the most common mistakes in access control policies. The most concerning one is certainly the (unwanted) exposure of storage buckets: These can easily leak sensitive data, such as private keys, credentials and database dumps, or allow attackers to tamper with their resources. To raise awareness on the risks and help users to secure their storage services, we show how attackers could exploit unsecured S3 buckets to deface or deliver malicious content through websites that relies on S3 buckets. In fact, we identify 191 vulnerable websites. Finally, we propose a browser extension that prevents loading resources hosted in unsecured buckets, intended either for end-users, as a mitigation against vulnerable websites, and for developers and software testers, as a way to check for misconfigurations.
【Keywords】:
【Paper Link】 【Pages】:712-722
【Authors】: Henri Maxime Demoulin ; Tavish Vaidya ; Isaac Pedisich ; Bob DiMaiolo ; Jingyu Qian ; Chirag Shah ; Yuankai Zhang ; Ang Chen ; Andreas Haeberlen ; Boon Thau Loo ; Linh Thi Xuan Phan ; Micah Sherr ; Clay Shields ; Wenchao Zhou
【Abstract】: This paper presents DeDoS, a novel platform for mitigating asymmetric DoS attacks. These attacks are particularly challenging since even attackers with limited resources can exhaust the resources of well-provisioned servers. DeDoS offers a framework to deploy code in a highly modular fashion. If part of the application stack is experiencing a DoS attack, DeDoS can massively replicate only the affected component, potentially across many machines. This allows scaling of the impacted resource separately from the rest of the application stack, so that resources can be precisely added where needed to combat the attack. Our evaluation results show that DeDoS incurs reasonable overheads in normal operations, and that it significantly outperforms standard replication techniques when defending against a range of asymmetric attacks.
【Keywords】:
【Paper Link】 【Pages】:723-732
【Authors】: Nikola K. Blanchard ; Clément Malaingre ; Ted Selker
【Abstract】: Passphrases have many uses, such as serving as seeds for passwords. User-created passphrases are easier to remember, but tend to be less secure than ones created from words randomly chosen in a dictionary. This paper develops a way of making more memorable, more secure passphrases. It investigates the security and usability of creating a passphrase by choosing from a randomly generated set of words presented as a two-dimensional array. A usability experiment shows that participants using this method achieved 97% to 99% of the maximal theoretical entropy and commited fewer than half as many memory mistakes as a control group with assigned passphrases. It also shows that their choices are affected by word familiarity and weakly by the word's position in the array. Prompting a person with random words from a large dictionary is an effective way of helping them make a more memorable high-entropy passphrase.
【Keywords】:
【Paper Link】 【Pages】:733-748
【Authors】: Peter Mayer ; Christian Schwartz ; Melanie Volkamer
【Abstract】: Text passwords play an important role in protecting the assets of organisations. Thus, it is of the essence, that employees are well aware of possible attacks and defences. To that end, we developed a password security awareness-raising material in a systematic iterative process: The material is based on the literature on password security, feedback of independent experts, and feedback of lay-users. It was evaluated in the field with employees of three organisations. Our results show that the participating employees improved their abilities to (1) discern secure from insecure password-related behaviour in a variety of scenarios relating to different attacks and (2) assess passwords as secure or insecure. These improved abilities of the participants were still present in a retention after six months. Thus, the developed awareness-raising material contributes to improving the password-related security in organisations.
【Keywords】: