Proceedings of the 35th Annual Computer Security Applications Conference, ACSAC 2019, San Juan, PR, USA, December 09-13, 2019. ACM 【DBLP Link】
【Paper Link】 【Pages】:1-16
【Authors】: Chenglu Jin ; Zheng Yang ; Marten van Dijk ; Jianying Zhou
【Abstract】: In 2017, malware Triton was discovered in a petrol plant in Saudi Arabia, and it shut down the safety instrumented systems in the affected industrial control system without being noticed by the operators. If the malware was not discovered by a security company on time, it could leave the system running without any safety measures, and eventually lead to an explosion. To detect such attacks, one can track the running status of the devices in the field to know that they are still "alive". However, in practice, there yet does not exist an efficient and cryptographically secure mechanism/ protocol that can prove the aliveness of a device to control centers over an open network.
【Keywords】: Security and privacy; Network security; Security protocols; Security services; Authentication
【Paper Link】 【Pages】:17-27
【Authors】: Charalampos Stylianopoulos ; Simon Kindström ; Magnus Almgren ; Olaf Landsiedel ; Marina Papatriantafilou
【Abstract】: Pattern matching is an important building block for many security applications, including Network Intrusion Detection Systems (NIDS). As NIDS grow in functionality and complexity, the time overhead and energy consumption of pattern matching become a significant consideration that limits the deployability of such systems, especially on resource-constrained devices. On the other hand, the emergence of new computing platforms, such as embedded devices with integrated, general-purpose Graphics Processing Units (GPUs), brings new, interesting challenges and opportunities for algorithm design in this setting: how to make use of new architectural features and how to evaluate their effect on algorithm performance. Up to now, work that focuses on pattern matching for such platforms has been limited to specific algorithms in isolation.
【Keywords】: Security and privacy; Network security
【Paper Link】 【Pages】:28-41
【Authors】: Amit Kumar Sikder ; Leonardo Babun ; Hidayet Aksu ; A. Selcuk Uluagac
【Abstract】: Our everyday lives are expanding fast with the introduction of new Smart Home Systems (SHSs). Today, a myriad of SHS devices and applications are widely available to users and have already started to re-define our modern lives. Smart home users utilize the apps to control and automate such devices. Users can develop their own apps or easily download and install them from vendor-specific app markets. App-based SHSs offer many tangible benefits to our lives, but also unfold diverse security risks. Several attacks have already been reported for SHSs. However, current security solutions consider smart home devices and apps individually to detect malicious actions rather than the context of the SHS as a whole. The existing mechanisms cannot capture user activities and sensor-device-user interactions in a holistic fashion. To address these issues, in this paper, we introduce Aegis, a novel context-aware security framework to detect malicious behavior in a SHS. Specifically, Aegis observes the states of the connected smart home entities (sensors and devices) for different user activities and usage patterns in a SHS and builds a contextual model to differentiate between malicious and benign behavior. We evaluated the efficacy and performance of Aegis in multiple smart home settings (i.e., single bedroom, double bedroom, duplex) with real-life users performing day-to-day activities and real SHS devices. We also measured the performance of Aegis against five different malicious behaviors. Our detailed evaluation shows that Aegis can detect malicious behavior in SHS with high accuracy (over 95%) and secure the SHS regardless of the smart home layout, device configuration, installed apps, and enforced user policies. Finally, Aegis achieves minimum overhead in detecting malicious behavior in SHS, ensuring easy deployability in real-life smart environments.
【Keywords】: Security and privacy; Systems security; Distributed systems security
【Paper Link】 【Pages】:42-56
【Authors】: Chen Wang ; S. Abhishek Anand ; Jian Liu ; Payton Walker ; Yingying Chen ; Nitesh Saxena
【Abstract】: Voice access technologies are widely adopted in mobile devices and voice assistant systems as a convenient way of user interaction. Recent studies have demonstrated a potentially serious vulnerability of the existing voice interfaces on these systems to "hidden voice commands". This attack uses synthetically rendered adversarial sounds embedded within a voice command to trick the speech recognition process into executing malicious commands, without being noticed by legitimate users.
【Keywords】: Security and privacy; Network security; Mobile and wireless security; Systems security
【Paper Link】 【Pages】:57-69
【Authors】: Fangjie Jiang ; Quanwei Cai ; Jingqiang Lin ; Bo Luo ; Le Guan ; Ziqiang Ma
【Abstract】: With the emergence of virtualization technologies, various services have been migrated to the cloud. Beyond the tenants' own security controls implemented in the virtual machine (VM), the binary integrity verification mechanism in the virtual machine manager (VMM) provides stronger protections against malware. Unfortunately, none of existing integrity verification mechanisms in the cloud provides complete transparency and fine-grained efficiency. Some schemes selectively check the integrity of sensitive binaries, but they require modifications to the VMs (e.g., integrating monitoring libraries) to trigger verification. Others, although need no modification to the VMs, have to enforce checking on all the binaries, because they cannot distinguish binary images for the sensitive processes from the binaries for insensitive ones, leading to significant performance overheads. In this paper, we present TF-BIV, a transparent and fine-grained binary integrity verification scheme, which does not require any modification or software/driver installation in the VM. TF-BIV identifies the sensitive processes at the creation, and checks the integrity of the binaries (including the guest OS kernel and the dependant binaries) related to these processes. The provided transparency and efficiency are achieved by leveraging existing hardware virtualization supports (i.e., Intel extended page table) and debugging features (i.e., monitor trap flag). We have implemented the TF-BIV prototype based on QEMU-KVM. To demonstrate the usability of TF-BIV, we adopted it for cloud-based cryptographic services, to achieve the strict invoking controls. In addition to the password-based authentication, TF-BIV further achieves process-level authorization to the invokers. Intensive evaluation shows that TF-BIV implements the designed binary integrity verification with only about 3.6% performance overhead.
【Keywords】: Security and privacy; Security services; Access control; Systems security; Operating systems security; Virtualization and security
【Paper Link】 【Pages】:70-83
【Authors】: Ioannis Agadakos ; Di Jin ; David Williams-King ; Vasileios P. Kemerlis ; Georgios Portokalidis
【Abstract】: Developers today have access to an arsenal of toolkits and libraries for rapid application prototyping. However, when an application loads a library, the entirety of that library's code is mapped into the address space, even if only a single function is actually needed. The unused portion is bloat that can negatively impact software defenses by unnecessarily inflating their overhead or increasing their attack surface. Recent work has explored debloating as a way of alleviating the above problems, when source code is available. In this paper, we investigate whether debloating is possible and practical at the binary level. To this end, we present Nibbler: a system that identifies and erases unused functions within shared libraries. Nibbler works in tandem with defenses like continuous code re-randomization and control-flow integrity, enhancing them without incurring additional run-time overhead. We developed and tested a prototype of Nibbler on x86-64 Linux; Nibbler reduces the size of shared libraries and the number of available functions, for real-world binaries and the SPEC CINT2006 suite, by up to 56% and 82%, respectively. We also demonstrate that Nibbler benefits defenses by showing that: (i) it improves the deployability of a continuous re-randomization system for binaries, namely Shuffler, by increasing its efficiency by 20%, and (ii) it improves certain fast, but coarse and context-insensitive control-flow integrity schemes by reducing the number of gadgets reachable through returns and indirect calls by 75% and 49% on average.
【Keywords】: Security and privacy; Software and application security; Software reverse engineering; Software security engineering; Systems security; Information flow control
【Paper Link】 【Pages】:84-96
【Authors】: Jim Alves-Foss ; Jia Song
【Abstract】: Automated cyber defense tools require the ability to analyze binary applications, detect vulnerabilities and automatically patch those vulnerabilities. The insertion of security mechanisms that operate at function boundaries (e.g, control flow mitigation, stack guards) require automated detection of those boundaries. This paper introduces a publicly available function boundary detection tool for 32 and 64-bit Intel binaries running under Linux, that is more accurate than other reported approaches.
【Keywords】: Security and privacy; Software and application security; Software reverse engineering
【Paper Link】 【Pages】:97-112
【Authors】: Andre Pawlowski ; Victor van der Veen ; Dennis Andriesse ; Erik van der Kouwe ; Thorsten Holz ; Cristiano Giuffrida ; Herbert Bos
【Abstract】: Polymorphism and inheritance make C++ suitable for writing complex software, but significantly increase the attack surface because the implementation relies on virtual function tables (vtables). These vtables contain function pointers that attackers can potentially hijack and in practice, vtable hijacking is one of the most important attack vector for C++ binaries.
【Keywords】: Security and privacy; Software and application security; Software reverse engineering
【Paper Link】 【Pages】:113-125
【Authors】: Yansong Gao ; Change Xu ; Derui Wang ; Shiping Chen ; Damith Chinthana Ranasinghe ; Surya Nepal
【Abstract】: A recent trojan attack on deep neural network (DNN) models is one insidious variant of data poisoning attacks. Trojan attacks exploit an effective backdoor created in a DNN model by leveraging the difficulty in interpretability of the learned model to misclassify any inputs signed with the attacker's chosen trojan trigger. Since the trojan trigger is a secret guarded and exploited by the attacker, detecting such trojan inputs is a challenge, especially at run-time when models are in active operation. This work builds STRong Intentional Perturbation (STRIP) based run-time trojan attack detection system and focuses on vision system. We intentionally perturb the incoming input, for instance by superimposing various image patterns, and observe the randomness of predicted classes for perturbed inputs from a given deployed model---malicious or benign. A low entropy in predicted classes violates the input-dependence property of a benign model and implies the presence of a malicious input---a characteristic of a trojaned input. The high efficacy of our method is validated through case studies on three popular and contrasting datasets: MNIST, CIFAR10 and GTSRB. We achieve an overall false acceptance rate (FAR) of less than 1%, given a preset false rejection rate (FRR) of 1%, for different types of triggers. Using CIFAR10 and GTSRB, we have empirically achieved result of 0% for both FRR and FAR. We have also evaluated STRIP robustness against a number of trojan attack variants and adaptive attacks.
【Keywords】: Computing methodologies; Machine learning; Machine learning approaches; Neural networks; Security and privacy; Software and application security; Domain-specific security and privacy architectures
【Paper Link】 【Pages】:126-137
【Authors】: Zheng Li ; Chengyu Hu ; Yang Zhang ; Shanqing Guo
【Abstract】: Deep learning techniques have made tremendous progress in a variety of challenging tasks, such as image recognition and machine translation, during the past decade. Training deep neural networks is computationally expensive and requires both human and intellectual resources. Therefore, it is necessary to protect the intellectual property of the model and externally verify the ownership of the model. However, previous studies either fail to defend against the evasion attack or have not explicitly dealt with fraudulent claims of ownership by adversaries. Furthermore, they can not establish a clear association between the model and the creator's identity.
【Keywords】: Security and privacy; Software and application security; Systems security
【Paper Link】 【Pages】:138-147
【Authors】: Yu Li ; Yannan Liu ; Min Li ; Ye Tian ; Bo Luo ; Qiang Xu
【Abstract】: Deep Neural Networks (DNNs) have attracted mainstream adoption in various application domains. Their reliability and security are therefore serious concerns in those safety-critical applications such as surveillance and medical systems. In this paper, we propose a novel dual modular redundancy framework for DNNs, namely D2NN, which is able to tradeoff the system robustness with overhead in a fine-grained manner. We evaluate D2NN framework with DNN models trained on MNIST and CIFAR10 datasets under fault injection attacks, and experimental results demonstrate the efficacy of our proposed solution.
【Keywords】: Computer systems organization; Dependable and fault-tolerant systems and networks; Redundancy; Computing methodologies; Machine learning; Machine learning approaches; Neural networks
【Paper Link】 【Pages】:148-162
【Authors】: Zecheng He ; Tianwei Zhang ; Ruby B. Lee
【Abstract】: The prevalence of deep learning has drawn attention to the privacy protection of sensitive data. Various privacy threats have been presented, where an adversary can steal model owners' private data. Meanwhile, countermeasures have also been introduced to achieve privacy-preserving deep learning. However, most studies only focused on data privacy during training, and ignored privacy during inference.
【Keywords】: Computing methodologies; Artificial intelligence; Security and privacy; Systems security; Distributed systems security
【Paper Link】 【Pages】:163-176
【Authors】: Sebastian Poeplau ; Aurélien Francillon
【Abstract】: Symbolic execution has become a popular technique for software testing and vulnerability detection. Most implementations transform the program under analysis to some intermediate representation (IR), which is then used as a basis for symbolic execution. There is a multitude of available IRs, and even more approaches to transform target programs into a respective IR.
【Keywords】: Security and privacy; Software and application security; Software security engineering; Software and its engineering; Software creation and management; Software verification and validation; Software defect analysis; Software testing and debugging
【Paper Link】 【Pages】:177-189
【Authors】: Mathilde Ollivier ; Sébastien Bardin ; Richard Bonichon ; Jean-Yves Marion
【Abstract】: Code obfuscation is a major tool for protecting software intellectual property from attacks such as reverse engineering or code tampering. Yet, recently proposed (automated) attacks based on Dynamic Symbolic Execution (DSE) shows very promising results, hence threatening software integrity. Current defenses are not fully satisfactory, being either not efficient against symbolic reasoning, or affecting runtime performance too much, or being too easy to spot. We present and study a new class of anti-DSE protections coined as path-oriented protections targeting the weakest spot of DSE, namely path exploration. We propose a lightweight, efficient, resistant and analytically proved class of obfuscation algorithms designed to hinder DSE-based attacks. Extensive evaluation demonstrates that these approaches critically counter symbolic deobfuscation while yielding only a very slight overhead.
【Keywords】: Security and privacy; Formal methods and theory of security; Logic and verification; Intrusion/anomaly detection and malware mitigation; Malware and its mitigation; Software and application security; Software reverse engineering; Software and its engineering; Software organization and properties; Software functional properties; Formal methods
【Paper Link】 【Pages】:190-202
【Authors】: Christophe Hauser ; Jayakrishna Menon ; Yan Shoshitaishvili ; Ruoyu Wang ; Giovanni Vigna ; Christopher Kruegel
【Abstract】: We present a novel approach to automatically recover information about the address space layout of remote processes in the presence of Address Space Layout Randomization (ASLR). Our system, dubbed Sleak, performs static analysis and symbolic execution of binary executable programs, and identifies program paths and input parameters leading to partial (i.e., only a few bits) or complete (i.e., the whole address) information disclosure vulnerabilities, revealing addresses of known objects of the target service or application. Sleak takes, as input, the binary executable program, and generates a symbolic expression for each program output that leaks information about the addresses of objects, such as stack variables, heap structures, or function pointers. By comparing these expressions with the concrete output of a remote process executing the same binary program image, our system is able to recover from a few bits to whole addresses of objects of the target application or service. Discovering the address of a single object in the target application is often enough to guess the layout of entire sections of the address space, which can be leveraged by attackers to bypass ASLR.
【Keywords】: Security and privacy; Formal methods and theory of security; Logic and verification; Software and application security; Software reverse engineering
【Paper Link】 【Pages】:203-214
【Authors】: Mohsen Ahmadvand ; Dennis Fischer ; Sebastian Banescu
【Abstract】: Man-At-The-End (MATE) attackers are almighty adversaries against whom there exists no silver-bullet countermeasure. To raise the bar, a wide range of protection measures were proposed in the literature each of which adds resilience against certain attacks on certain digital assets of a program. Intuitively, composing a set of protections (rather than applying just one of them) can mitigate a wider range of attacks and hence offer a higher level of security. Despite the potential benefits, very limited research has been done on the composition of protections. Naive compositions could lead to conflicts which, in turn, limit the application of protections, raise false alarms, and worse yet, yield corrupted binaries. More importantly, inadequate compositions of such protections are not tailored for the program at hand and thus the offered security and performance are sub-optimal. In this paper, we first lay out a set of generic constraints for a conflict-free composition of protections. Then, we develop a composition framework based on a defense graph in which nodes and edges capture protections, their relations, and constraints. The conflicts problem together with optimization requirements are then translated into a set of integer constraints. We then use Integer Linear Programming (ILP) to handle conflicts while optimizing for a higher security and lower overhead. To measure the overhead, we use a set of real-world programs (MiBench dataset and open source games). Our evaluation results indicate that our composition framework reduces the overhead by ≈ 39% while maximizing the coverage. Moreover, our approach yields a 5-fold decrease in overhead compared to state-of-the-art heuristics.
【Keywords】: Security and privacy; Software and application security; Software security engineering
【Paper Link】 【Pages】:215-228
【Authors】: Samuel Marchal ; Sebastian Szyller
【Abstract】: Online retail, eCommerce, frequently falls victim to fraud conducted by malicious customers (fraudsters) who obtain goods or services through deception. Fraud coordinated by groups of professional fraudsters that place several fraudulent orders to maximize their gain is referred to as organized fraud. Existing approaches to fraud detection typically analyze orders in isolation and they are not effective at identifying groups of fraudulent orders linked to organized fraud. These also wrongly identify many legitimate orders as fraud, which hinders their usage for automated fraud cancellation. We introduce a novel solution to detect organized fraud by analyzing orders in bulk. Our approach is based on clustering and aims to group together fraudulent orders placed by the same group of fraudsters. It selectively uses two existing techniques, agglomerative clustering and sampling to recursively group orders into small clusters in a reasonable amount of time. We assess our clustering technique on real-world orders placed on the Zalando website, the largest online apparel retailer in Europe1. Our clustering processes 100,000s of orders in a few hours and groups 35-45% of fraudulent orders together. We propose a simple technique built on top of our clustering that detects 26.2% of fraud while raising false alarms for only 0.1% of legitimate orders.
【Keywords】: Applied computing; Electronic commerce; Information systems; World Wide Web; Web applications; Electronic commerce; Online shopping; Security and privacy; Intrusion/anomaly detection and malware mitigation; Intrusion detection systems; Software and application security
【Paper Link】 【Pages】:229-244
【Authors】: Mahsa Foruhandeh ; Yanmao Man ; Ryan M. Gerdes ; Ming Li ; Thidapat Chantem
【Abstract】: The Controller Area Network (CAN) is a bus standard commonly used in the automotive industry for connecting Electronic Control Units (ECUs) within a vehicle. The broadcast nature of this protocol, along with the lack of authentication or strong integrity guarantees for frames, allows for arbitrary data injection/modification and impersonation of the ECUs. While mitigation strategies have been proposed to counter these attacks, high implementation costs or violation of backward compatibility hinder their deployment. In this work, we first examine the shortcomings of state-of-the-art CAN intrusion detection and identification systems that rely on multiple frames to detect misbehavior and attribute it to a particular ECU, and show that they are vulnerable to a Hill-Climbing-style attack. Then we propose SIMPLE, a real-time intrusion detection and identification system that exploits physical layer features of ECUs, which would not only allow an attack to be detected using a single frame but also be effectively nullified. SIMPLE has low computational and data acquisition costs, and its efficacy is demonstrated by both in-lab experiments with automotive-grade CAN transceivers as well as in-vehicle experiments, where average equal error rates of close to 0% and 0.8985% are achieved, respectively.
【Keywords】: Hardware; Communication hardware, interfaces and storage; Buses and high-speed links; Networking hardware; Security and privacy; Intrusion/anomaly detection and malware mitigation; Intrusion detection systems; Security in hardware; Hardware attacks and countermeasures
【Paper Link】 【Pages】:245-256
【Authors】: Frederico Araujo ; Gbadebo Ayoade ; Khaled Al-Naami ; Yang Gao ; Kevin W. Hamlen ; Latifur Khan
【Abstract】: Conventional cyber defenses typically respond to detected attacks by rejecting them as quickly and decisively as possible; but aborted attacks are missed learning opportunities for intrusion detection. A method of reimagining cyber attacks as free sources of live training data for machine learning-based intrusion detection systems (IDSes) is proposed and evaluated. Rather than aborting attacks against legitimate services, adversarial interactions are selectively prolonged to maximize the defender's harvest of useful threat intelligence. Enhancing web services with deceptive attack-responses in this way is shown to be a powerful and practical strategy for improved detection, addressing several perennial challenges for machine learning-based IDS in the literature, including scarcity of training data, the high labeling burden for (semi-)supervised learning, encryption opacity, and concept differences between honeypot attacks and those against genuine services. By reconceptualizing software security patches as feature extraction engines, the approach conscripts attackers as free penetration testers, and coordinates multiple levels of the software stack to achieve fast, automatic, and accurate labeling of live web data streams.
【Keywords】: Computing methodologies; Machine learning; Security and privacy; Intrusion/anomaly detection and malware mitigation; Software and application security; Software security engineering; Web application security
【Paper Link】 【Pages】:257-269
【Authors】: Aurore Fass ; Michael Backes ; Ben Stock
【Abstract】: Given the success of the Web platform, attackers have abused its main programming language, namely JavaScript, to mount different types of attacks on their victims. Due to the large volume of such malicious scripts, detection systems rely on static analyses to quickly process the vast majority of samples. These static approaches are not infallible though and lead to misclassifications. Also, they lack semantic information to go beyond purely syntactic approaches. In this paper, we propose JStap, a modular static JavaScript detection system, which extends the detection capability of existing lexical and AST-based pipelines by also leveraging control and data flow information. Our detector is composed of ten modules, including five different ways of abstracting code, with differing levels of context and semantic information, and two ways of extracting features. Based on the frequency of these specific patterns, we train a random forest classifier for each module. In practice, JStap outperforms existing systems, which we reimplemented and tested on our dataset totaling over 270,000 samples. To improve the detection, we also combine the predictions of several modules. A first layer of unanimous voting classifies 93% of our dataset with an accuracy of 99.73%, while a second layer-based on an alternative modules' combination-labels another 6.5% of our initial dataset with an accuracy over 99%. This way, JStap can be used as a precise pre-filter, meaning that it would only need to forward less than 1% of samples to additional analyses. For reproducibility and direct deployability of our modules, we make our system publicly available.1
【Keywords】: Security and privacy; Intrusion/anomaly detection and malware mitigation; Malware and its mitigation; Software and application security; Web application security
【Paper Link】 【Pages】:270-285
【Authors】: Huangyi Ge ; Sze Yiu Chau ; Victor E. Gonsalves ; Huian Li ; Tianhao Wang ; Xukai Zou ; Ninghui Li
【Abstract】: Despite years of research, many existing e-voting systems do not adequately protect voting privacy. In most cases, such systems only achieve "immediate privacy", that is, they only protect voting privacy against today's adversaries, but not against a future adversary, who may possess better attack technologies like new cryptanalysis algorithms and/or quantum computers. Previous attempts at providing long-term voting privacy (dubbed "everlasting privacy" in the literature) often require additional trusts in parties that do not need to be trusted for immediate privacy.
【Keywords】: Security and privacy; Cryptography; Public key (asymmetric) techniques; Security services; Authentication; Authorization; Privacy-preserving protocols; Pseudonymity, anonymity and untraceability
【Paper Link】 【Pages】:286-296
【Authors】: Tavish Vaidya ; Tim Walsh ; Micah Sherr
【Abstract】: Encrypted voice-over-IP (VoIP) communication often uses variable bit rate (VBR) codecs to achieve good audio quality while minimizing bandwidth costs. Prior work has shown that encrypted VBR-based VoIP streams are vulnerable to re-identification attacks in which an attacker can infer attributes (e.g., the language being spoken, the identities of the speakers, and key phrases) about the underlying audio by analyzing the distribution of packet sizes. Existing defenses require the participation of both the sender and receiver to secure their VoIP communications.
【Keywords】: Security and privacy; Network security
【Paper Link】 【Pages】:297-312
【Authors】: Nicholas Mainardi ; Alessandro Barenghi ; Gerardo Pelosi
【Abstract】: The problem of efficiently searching into outsourced encrypted data, while providing strong privacy guarantees, is a challenging problem arising from the separation of data ownership and data management typical of cloud-based applications. Several cryptographic solutions allowing a client to look-up occurrences of a substring of choice in an outsourced document collection have been publicly presented. Nonetheless, practical application requirements in terms of privacy, security and efficiency actively push for new and improved solutions. We present a privacy-preserving substring search protocol exhibiting a sub-linear communication cost, with a limited computational effort on the server side. The proposed protocol provides search pattern and access pattern privacy, while its extension to a multi-user setting shows significant savings in terms of outsourced storage w.r.t. a baseline solution where the whole dataset is replicated. The performance figures of an optimized implementation of our protocol, searching into a remotely stored genomic dataset, validate the practicality of the approach exhibiting a data transfer of less than 200 kiB to execute a query over a document of 40 MiB, with execution times on client and server in the range of a few seconds and a few minutes, respectively.
【Keywords】: Security and privacy; Database and storage security; Management and querying of encrypted data; Network security; Security protocols; Security services; Privacy-preserving protocols
【Paper Link】 【Pages】:313-327
【Authors】: Virat Shejwalkar ; Amir Houmansadr ; Hossein Pishro-Nik ; Dennis Goeckel
【Abstract】: The literature has extensively studied various location privacy-preserving mechanisms (LPPMs) in order to improve the location privacy of the users of location-based services (LBSes). Such privacy, however, comes at the cost of degrading the utility of the underlying LBSes. The main body of previous work has used a generic distance-only based metric to quantify the quality loss incurred while employing LPPMs. In this paper, we argue that using such generic utility metrics misleads the design and evaluation of LPPMs, since generic utility metrics do not capture the actual utility perceived by the users. We demonstrate this for ride-hailing services, a popular class of LBS with complex utility behavior. Specifically, we design a privacy-preserving ride-hailing service, called PRide, and demonstrate the significant distinction between its generic and tailored metrics. Through various experiments we show the significant implications of using generic utility metrics in the design and evaluation of LPPMs. Our work concludes that LPPM design and evaluation should use utility metrics that are tailored to the individual LBSes.
【Keywords】: Security and privacy; Human and societal aspects of security and privacy; Usability in security and privacy; Security services; Privacy-preserving protocols; Pseudonymity, anonymity and untraceability; Software and application security; Social network security and privacy
【Paper Link】 【Pages】:328-338
【Authors】: Stefano Cristalli ; Long Lu ; Danilo Bruschi ; Andrea Lanzi
【Abstract】: Short-distance or near-field communication is increasingly used by mobile apps for interacting or exchanging data in a cross-device fashion. In this paper, we identify a security issue, namely cross-device app-to-app communication hijacking (or CATCH), that affect Android apps using short-distance channels (e.g., Bluetooth and Wi-Fi-Direct). This issue causes unauthenticated or malicious app-to-app interactions even when the underlying communication channels are authenticated and secured. In addition to discovering the security issue, we design an algorithm based on data-flow analysis for detecting the presence of CATCH in Android apps. Our algorithm checks if a given app contains an app-to-app authentication scheme, necessary for preventing CATCH. We perform experiments on a set of Android apps and show the CATCH problem is always present on the whole analyzed applications set. We also discuss the impact of the problem in real scenarios by presenting two real case studies. At the end of the paper we reported limitations of our model along with future improvements.
【Keywords】: Security and privacy; Network security; Mobile and wireless security; Security services; Authentication; Software and application security
【Paper Link】 【Pages】:339-354
【Authors】: Siqi Ma ; Runhan Feng ; Juanru Li ; Yang Liu ; Surya Nepal ; Diethelm Ostry ; Elisa Bertino ; Robert H. Deng ; Zhuo Ma ; Sanjay Jha
【Abstract】: A great quantity of user passwords nowadays has been leaked through security breaches of user accounts. To enhance the security of the Password Authentication Protocol (PAP) in such circumstance, Android app developers often implement a complementary One-Time Password (OTP) authentication by utilizing the short message service (SMS). Unfortunately, SMS is not specially designed as a secure service and thus an SMS One-Time Password is vulnerable to many attacks. To check whether a wide variety of currently used SMS OTP authentication protocols in Android apps are properly implemented, this paper presents an empirical study against them. We first derive a set of rules from RFC documents as the guide to implement secure SMS OTP authentication protocol. Then we implement an automated analysis system, AUTH-EYE, to check whether a real-world OTP authentication scheme violates any of these rules. Without accessing server source code, AUTH-EYE executes Android apps to trigger the OTP-relevant functionalities and then analyzes the OTP implementations including those proprietary ones. By only analyzing SMS responses, AUTH-EYE is able to assess the conformance of those implementations to our recommended rules and identify the potentially insecure apps. In our empirical study, AUTH-EYE analyzed 3,303 popular Android apps and found that 544 of them adopt SMS OTP authentication. The further analysis of AUTH-EYE demonstrated a far-from-optimistic status: the implementations of 536 (98.5%) out of the 544 apps violate at least one of our defined rules. The results indicate that Android app developers should seriously consider our discussed security rules and violations so as to implement SMS OTP properly.
【Keywords】: Security and privacy; Security services; Authentication; Multi-factor authentication; Software and application security; Software reverse engineering; Software security engineering
【Paper Link】 【Pages】:355-365
【Authors】: Manar Mohamed ; Prakash Shrestha ; Nitesh Saxena
【Abstract】: The most researched behavioral biometrics for mobile device authentication involves the use of touch gestures as the user enters a graphical pattern password (like the one used on Android) or otherwise interacts with the device. However, due to the inherent static nature of these schemes, they are vulnerable to impersonation attacks. In this paper, we investigate challenge-response mechanisms to address this security vulnerability underlying the traditional static biometric schemes. We study the performance, security, and usability of two schemes of such challenge-response interactive biometric authentication geared for mobile devices and contrast them to static graphical pattern based biometrics. The first scheme is based on random graphical patterns. The second scheme, recently introduced for PC class of devices (not mobile), is based on a simple cognitive game involving semantic interactive random challenges. Our results show that the accuracy of user identification with these approaches is similar to static pattern based biometric scheme. Finally, we argue that utilizing interactivity and randomization significantly enhance the security against impersonation attacks. As an independent result, our work demonstrates that the use of motion sensors available on mobile device serves to improve the identification accuracy of schemes that only use touch-based gestures (static and interactive).
【Keywords】: Security and privacy; Security services; Authentication
【Paper Link】 【Pages】:366-377
【Authors】: Tousif Osman ; Mohammad Mannan ; Urs Hengartner ; Amr M. Youssef
【Abstract】: Modern mobile operating systems such as Android and Apple iOS allow apps to access various system resources, with or without explicit user permission. Running multiple concurrent apps is also commonly supported, although the OS generally maintains strict separation between apps. However, an app can still get access to another app's private information, such as the user input, through numerous side-channels, mostly enabled by having access to permissioned or permission-less (sometimes even unrelated) resources, e.g., inferring keystroke and swipe gestures from a victim app via the accelerometer or gyroscope. Current mobile OSes do not empower an app to defend itself from such implicit interference from other apps; few exceptions exist such as blocking screenshot captures in Android. We propose a general mechanism for apps to defend themselves from any unwanted implicit or explicit interference from other concurrently running apps. Our AppVeto solution enables an app to easily configure its requirements for a safe environment; a foreground app can request the OS to disallow access---i.e., to enable veto powers---to selected side-channel-prone resources to all other running apps for a certain (short) duration, e.g., no access to the accelerometer during password input. In a sense, we enable a finer-grained access control policy than the current runtime permission model, and delegate the responsibility of the resource access decision (for vetoing) from users to app developers. We implement AppVeto on Android using the Xposed framework, without changing Android APIs. Furthermore, we show that AppVeto imposes negligible overhead, while being effective against several well-known side-channel attacks.
【Keywords】: Security and privacy; Systems security; Operating systems security; Mobile platform security
【Paper Link】 【Pages】:378-389
【Authors】: Jiaping Gui ; Xusheng Xiao ; Ding Li ; Chung Hwan Kim ; Haifeng Chen
【Abstract】: System monitoring has recently emerged as an effective way to analyze and counter advanced cyber attacks. The monitoring data records a series of system events and provides a global view of system behaviors in an organization. Querying such data to identify potential system risks and malicious behaviors helps security analysts detect and analyze abnormal system behaviors caused by attacks. However, since the data volume is huge, queries could easily run for a long time, making it difficult for system experts to obtain prompt and continuous feedback. To support interactive querying over system monitoring data, we propose ProbeQ, a system that progressively processes system-behavioral queries. It allows users to concisely compose queries that describe system behaviors and specify an update frequency to obtain partial results progressively. The query engine of ProbeQ is built based on a framework that partitions ProbeQ queries into sub-queries for parallel execution and retrieves partial results periodically based on the specified update frequency. We concretize the framework with three partition strategies that predict the workloads for sub-queries, where the adaptive workload partition strategy (AdWd) dynamically adjusts the predicted workloads for subsequent sub-queries based on the latest execution information. We evaluate the prototype system of ProbeQ on commonly used queries for suspicious behaviors over real-world system monitoring data, and the results show that the ProbeQ system can provide partial updates progressively (on average 9.1% deviation from the update frequencies) with only 1.2% execution overhead compared to the execution without progressive processing.
【Keywords】: Security and privacy; Human and societal aspects of security and privacy; Usability in security and privacy; Intrusion/anomaly detection and malware mitigation; Malware and its mitigation; Software and application security; Software security engineering; Systems security; Operating systems security
【Paper Link】 【Pages】:390-403
【Authors】: Saeid Mofrad ; Ishtiaq Ahmed ; Shiyong Lu ; Ping Yang ; Heming Cui ; Fengwei Zhang
【Abstract】: Big data workflow management systems (BDWFMSs) have recently emerged as popular platforms to perform large-scale data analytics in the cloud. However, the protection of data confidentiality and secure execution of workflow applications remains an important and challenging problem. Although a few data analytics systems were developed to address this problem, they are limited to specific structures such as Map-Reduce-style workflows and SQL queries. This paper proposes SecDATAVIEW, a BDWFMS that leverages Intel Software Guard eXtensions (SGX) and AMD Secure Encrypted Virtualization (SEV) to develop a heterogeneous trusted execution environment for workflows. SecDATAVIEW aims to (1) provide the confidentiality and integrity of code and data for workflows running on public untrusted clouds, (2) minimize the TCB size for a BDWFMS, (3) enable the trade-off between security and performance for workflows, and (4) support the execution of Java-based workflow tasks in SGX. Our experimental results show that SecDATAVIEW imposes 1.69x to 2.62x overhead on workflow execution time on SGX worker nodes, 1.04x to 1.29x overhead on SEV worker nodes, and 1.20x to 1.43x overhead on a heterogeneous setting in which both SGX and SEV worker nodes are used.
【Keywords】: Security and privacy
【Paper Link】 【Pages】:404-416
【Authors】: Matthew W. Sanders ; Chuan Yue
【Abstract】: Creating effective access control policies is a significant challenge to many organizations. Over-privilege increases security risk from compromised credentials, insider threats, and accidental misuse. Under-privilege prevents users from performing their duties. Policies must balance between these competing goals of minimizing under-privilege vs. over-privilege. The Attribute Based Access Control (ABAC) model has been gaining popularity in recent years because of its advantages in granularity, flexibility, and usability. ABAC allows administrators to create policies based on attributes of users, operations, resources, and the environment. However, in practice, it is often very difficult to create effective ABAC policies in terms of minimizing under-privilege and over-privilege especially for large and complex systems because their ABAC privilege spaces are typically gigantic. In this paper, we take a rule mining approach to mine systems' audit logs for automatically generating ABAC policies which minimize both under-privilege and over-privilege. We propose a rule mining algorithm for creating ABAC policies with rules, a policy scoring algorithm for evaluating ABAC policies from the least privilege perspective, and performance optimization methods for dealing with the challenges of large ABAC privilege spaces. Using a large dataset of 4.7 million Amazon Web Service (AWS) audit log events, we demonstrate that our automated approach can effectively generate least privilege ABAC policies, and can generate policies with less over-privilege and under-privilege than a Role Based Access Control (RBAC) approach. Overall, we hope our work can help promote a wider and faster deployment of the ABAC model, and can help unleash the advantages of ABAC to better protect large and complex computing systems.
【Keywords】: Security and privacy; Security services; Access control
【Paper Link】 【Pages】:417-429
【Authors】: Pejman Najafi ; Alexander Mühle ; Wenzel Pünter ; Feng Cheng ; Christoph Meinel
【Abstract】: In this paper, we formulate threat detection in SIEM environments as a large-scale graph inference problem. We introduce a SIEM-based knowledge graph which models global associations among entities observed in proxy and DNS logs, enriched with related open source intelligence (OSINT) and cyber threat intelligence (CTI). Next, we propose MalRank, a graph-based inference algorithm designed to infer a node maliciousness score based on its associations to other entities presented in the knowledge graph, e.g., shared IP ranges or name servers.
【Keywords】: Information systems; Information systems applications; Data mining; Security and privacy; Intrusion/anomaly detection and malware mitigation; Intrusion detection systems; Malware and its mitigation
【Paper Link】 【Pages】:430-443
【Authors】: Abbas Naderi-Afooshteh ; Yonghwi Kwon ; Anh Nguyen-Tuong ; Mandana Bagheri-Marzijarani ; Jack W. Davidson
【Abstract】: Malware written in dynamic languages such as PHP routinely employ anti-analysis techniques such as obfuscation schemes and evasive tricks to avoid detection. On top of that, attackers use automated malware creation tools to create numerous variants with little to no manual effort.
【Keywords】: Security and privacy; Intrusion/anomaly detection and malware mitigation; Malware and its mitigation; Software and application security; Web application security; Systems security
【Paper Link】 【Pages】:444-455
【Authors】: Chani Jindal ; Christopher Salls ; Hojjat Aghakhani ; Keith Long ; Christopher Kruegel ; Giovanni Vigna
【Abstract】: Malware detection plays a vital role in computer security. Modern machine learning approaches have been centered around domain knowledge for extracting malicious features. However, many potential features can be used, and it is time consuming and difficult to manually identify the best features, especially given the diverse nature of malware.
【Keywords】: Computing methodologies; Machine learning; Machine learning approaches; Neural networks; Security and privacy; Software and application security
【Paper Link】 【Pages】:456-465
【Authors】: Ziya Alper Genç ; Gabriele Lenzini ; Daniele Sgandurra
【Abstract】: To protect their digital assets from malware attacks, most users and companies rely on anti-virus (AV) software. But AVs' protection is a full-time task and AVs are engaged in a cat-and-mouse game where malware, e.g., through obfuscation and polymorphism, denial of service attacks and malformed packets and parameters, try to circumvent AV defences or make them crash. On the other hand, AVs react by complementing signature-based with anomaly or behavioral detection, and by using OS protection, standard code, and binary protection techniques. Further, malware counter-act, for instance by using adversarial inputs to avoid detection, et cetera. This paper investigates two novel moves for the malware side. The first one consists in simulating mouse events to control AVs, namely to send them mouse "clicks" to deactivate their protection. We prove that many AVs can be disabled in this way, and we call this class of attacks Ghost Control. The second one consists in controlling high-integrity white-listed applications, such as Notepad, by sending them keyboard events (such as "copy-and-paste") to perform malicious operations on behalf of the malware. We prove that the anti-ransomware protection feature of some AVs can be bypassed if we use Notepad as a "puppet" to rewrite the content of protected files as a ransomware would do. Playing with the words, and recalling the cat-and-mouse game, we call this class of attacks Cut-and-Mouse.
【Keywords】: Security and privacy; Intrusion/anomaly detection and malware mitigation; Malware and its mitigation
【Paper Link】 【Pages】:466-477
【Authors】: Toshinori Usui ; Yuto Otsuki ; Yuhei Kawakoya ; Makoto Iwamura ; Jun Miyoshi ; Kanta Matsuura
【Abstract】: Malicious scripts have been crucial attack vectors in recent attacks such as malware spam (malspam) and fileless malware. Since malicious scripts are generally obfuscated, statically analyzing them is difficult due to reflections. Therefore, dynamic analysis, which is not affected by obfuscation, is used for malicious script analysis. However, despite its wide adoption, some problems remain unsolved. Current designs of script analysis tools do not fulfill the following three requirements important for malicious script analysis. (1) Universally applicable to various script languages, (2) capable of outputting analysis logs that can precisely recover the behavior of malicious scripts, and (3) applicable to proprietary script engines.
【Keywords】: Computing methodologies; Symbolic and algebraic manipulation; Symbolic and algebraic algorithms; Optimization algorithms; Security and privacy; Intrusion/anomaly detection and malware mitigation; Malware and its mitigation; Software and application security; Software reverse engineering; Software and its engineering; Software organization and properties; Software system structures; Software architectures; Simulator / interpreter
【Paper Link】 【Pages】:478-488
【Authors】: Iskander Sánchez-Rola ; Davide Balzarotti ; Igor Santos
【Abstract】: Cookies were originally introduced as a way to provide state awareness to websites, and are now one of the backbones of the current web. However, their use is not limited to store the login information or to save the current state of user browsing. In several cases, third-party cookies are deliberately used for web tracking, user analytics, and for online advertisement, with the subsequent privacy loss for the end users.
【Keywords】: Security and privacy; Systems security; Browser security
【Paper Link】 【Pages】:489-499
【Authors】: Yoshimichi Nakatsuka ; Andrew Paverd ; Gene Tsudik
【Abstract】: Security and privacy of the Internet Domain Name System (DNS) have been longstanding concerns. Recently, there is a trend to protect DNS traffic using Transport Layer Security (TLS). However, at least two major issues remain: (1) how do clients authenticate DNS-over-TLS endpoints in a scalable and extensible manner; and (2) how can clients trust endpoints to behave as expected? In this paper, we propose a novel Private DNS-over-TLS (PDoT) architecture. PDoT includes a DNS Recursive Resolver (RecRes) that operates within a Trusted Execution Environment (TEE). Using Remote Attestation, DNS clients can authenticate, and receive strong assurance of trustworthiness of PDoT RecRes. We provide an open-source proof-of-concept implementation of PDoT and use it to experimentally demonstrate that its latency and throughput match that of the popular Unbound DNS-over-TLS resolver.
【Keywords】: Security and privacy; Human and societal aspects of security and privacy; Privacy protections; Network security; Web protocol security; Security in hardware; Hardware security implementation; Hardware-based security protocols
【Paper Link】 【Pages】:500-513
【Authors】: Hao Yang ; Kun Du ; Yubao Zhang ; Shuang Hao ; Zhou Li ; Mingxuan Liu ; Haining Wang ; Hai-Xin Duan ; Yazhou Shi ; XiaoDong Su ; Guang Liu ; Zhifeng Geng ; Jianping Wu
【Abstract】: The popularity of online gambling could bring negative social impact, and many countries ban or restrict online gambling. Taking China for example, online gambling violates Chinese laws and hence is illegal. However, illegal online gambling websites are still thriving despite strict restrictions, since they are able to make tremendous illicit profits by trapping and cheating online players. In this paper, we conduct the first deep analysis on illegal online gambling targeting Chinese to unveil its profit chain. After successfully identifying more than 967,954 suspicious illegal gambling websites, we inspect these illegal gambling websites from five aspects, including webpage structure similarity, SEO (Search Engine Optimization) methods, the abuse of Internet infrastructure, third-party online payment, and gambling group. Then we conduct a measurement study on the profit chain of illegal online gambling, investigating the upstream and downstream of these illegal gambling websites. We mainly focus on promotion strategies, third-party online payment, the abuse of third-party live chat services, and network infrastructures. Our findings shed the light on the ecosystem of online gambling and help the security community thwart illegal online gambling.
【Keywords】: Security and privacy; Software and application security; Web application security
【Paper Link】 【Pages】:514-528
【Authors】: Luke Dickinson ; Trevor Smith ; Kent E. Seamons
【Abstract】: X.509 certificate revocation defends against man-in-the-middle attacks involving a compromised certificate. Certificate revocation strategies face scalability, effectiveness, and deployment challenges as HTTPS adoption rates have soared. We propose Certificate Revocation Table (CRT), a new revocation strategy that is competitive with or exceeds alternative state-of-the-art solutions in effectiveness, efficiency, certificate growth scalability, mass revocation event scalability, revocation timeliness, privacy, and deployment requirements. The CRT design assumes that locality of reference applies to the certificates accessed by an organization. The CRT periodically checks the revocation status of X.509 certificates recently used by the organization. Pre-checking the revocation status of certificates the clients are likely to use avoids the security problems of on-demand certificate revocation checking.
【Keywords】: Security and privacy; Network security; Web protocol security
【Paper Link】 【Pages】:529-543
【Authors】: Imtiaz Karim ; Fabrizio Cicala ; Syed Rafiul Hussain ; Omar Chowdhury ; Elisa Bertino
【Abstract】: This paper focuses on checking the correctness and robustness of the AT command interface exposed by the cellular baseband processor through Bluetooth and USB. A device's application processor uses this interface for issuing high-level commands (or, AT commands) to the baseband processor for performing cellular network operations (e.g., placing a phone call). Vulnerabilities in this interface can be leveraged by malicious Bluetooth peripherals to launch pernicious attacks including DoS and privacy attacks. To identify such vulnerabilities, we propose ATFuzzer that uses a grammar-guided evolutionary fuzzing approach which mutates production rules of the AT command grammar instead of concrete AT commands. Empirical evaluation with ATFuzzer on 10 Android smartphones from 6 vendors revealed 4 invalid AT command grammars over Bluetooth and 13 over USB with implications ranging from DoS, downgrade of cellular protocol version (e.g., from 4G to 3G/2G) to severe privacy leaks. The vulnerabilities along with the invalid AT command grammars were responsibly disclosed to affected vendors and two of the reported vulnerabilities have been already assigned CVEs (CVE-2019-16400 and CVE-2019-16401).
【Keywords】: Security and privacy; Network security; Mobile and wireless security; Systems security; Denial-of-service attacks; Distributed systems security
【Paper Link】 【Pages】:544-556
【Authors】: Yu Zhang ; Wei Huo ; Kunpeng Jian ; Ji Shi ; Haoliang Lu ; Longquan Liu ; Chen Wang ; Dandan Sun ; Chao Zhang ; Baoxu Liu
【Abstract】: SOHO (small office/home office) routers provide services for end devices to connect to the Internet, playing an important role in the cyberspace. Unfortunately, security vulnerabilities pervasively exist in these routers, especially in the web server modules, greatly endangering end users. To discover these vulnerabilities, fuzzing web server modules of SOHO routers is the most popular solution. However, its effectiveness is limited, due to the lack of input specification, lack of routers' internal running states, and lack of testing environment recovery mechanisms. Moreover, fuzzing in general only reports memory corruption vulnerabilities, and fails to discover other vulnerabilities, e.g., web-based vulnerabilities.
【Keywords】: Security and privacy; Security in hardware; Embedded systems security; Software and application security; Software security engineering
【Paper Link】 【Pages】:557-567
【Authors】: Jan Spooren ; Thomas Vissers ; Peter Janssen ; Wouter Joosen ; Lieven Desmet
【Abstract】: DNS is one of the most essential components of the Internet, mapping domain names to the IP addresses behind almost every online service. Domain names are therefore also a fundamental tool for attackers to quickly locate and relocate their malicious activities on the Internet. In this paper, we design and evaluate Premadoma, a solution for DNS registries to predict malicious intent well before a domain name becomes operational. In contrast to blacklists, which only offer protection after some harm has already been done, this system can prevent domain names from being used before they can pose any threats. We advance the state of the art by leveraging recent insights into the ecosystem of malicious domain registrations, focusing explicitly on facilitators employed for bulk registration and similarity patterns in registrant information. We thoroughly evaluate the proposed prediction model's performance and adaptability on an 11 month testing set, and address complex and domain-specific dataset challenges. Moreover, we have successfully deployed Premadoma in the production environment of the .eu ccTLD registry to detect and prevent malicious registrations, and have contributed to the take down of 58,966 registrations in 2018.
【Keywords】: Information systems; World Wide Web; Networks; Network architectures; Network design principles; Naming and addressing; Security and privacy; Intrusion/anomaly detection and malware mitigation
【Paper Link】 【Pages】:568-583
【Authors】: Vasudevan Nagendra ; Vinod Yegneswaran ; Phillip A. Porras ; Samir R. Das
【Abstract】: The Science DMZ (SDMZ) is a special purpose network architecture proposed by ESnet (Energy Sciences Network) to facilitate distributed science experimentation on terabyte- (or petabyte-) scale data, exchanged over ultra-high bandwidth WAN links. Critical security challenges faced by these networks include: (i) network monitoring at high bandwidths, (ii) reconciling site-specific policies with project-level policies for conflict-free policy enforcement, (iii) dealing with geographically-distributed datasets with varying levels of sensitivity, and (iv) dynamically enforcing appropriate security rules. To address these challenges, we develop a fine-grained dataflow-based security enforcement system, called CoordiNetZ (CNZ), that provides coordinated situational awareness, i.e., the use of context-aware tagging for policy enforcement using the dynamic contextual information derived from hosts and network elements. We also developed tag and IP-based security microservices that incur minimal overheads in enforcing security to data flows exchanged across geographically-distributed SDMZ sites. We evaluate our prototype implementation across two geographically distributed SDMZ sites with SDN-based case studies, and present performance measurements that respectively highlight the utility of our framework and demonstrate efficient implementation of security policies across distributed SDMZ networks.
【Keywords】: Networks; Network architectures; Programming interfaces; Network performance evaluation; Network performance analysis; Network services; In-network processing; Security and privacy; Systems security; Firewalls
【Paper Link】 【Pages】:584-597
【Authors】: Paul Muntean ; Matthias Neumayer ; Zhiqiang Lin ; Gang Tan ; Jens Grossklags ; Claudia Eckert
【Abstract】: Control-flow hijacking attacks are used to perform malicious computations. Current solutions for assessing the attack surface after a control flow integrity (CFI) policy was applied can measure only indirect transfer averages in the best case without providing any insights w.r.t. the absolute calltarget reduction per callsite, and gadget availability. Further, tool comparison is underdeveloped or not possible at all. CFI has proven to be one of the most promising protections against control flow hijacking attacks, thus many efforts have been made to improve CFI in various ways. However, there is a lack of systematic assessment of existing CFI protections.
【Keywords】: Security and privacy; Software and application security; Systems security
【Paper Link】 【Pages】:598-611
【Authors】: Tapti Palit ; Fabian Monrose ; Michalis Polychronakis
【Abstract】: Gaining reliable arbitrary code execution through the exploitation of memory corruption vulnerabilities is becoming increasingly more difficult in the face of modern exploit mitigations. Facing this challenge, adversaries have started shifting their attention to data leakage attacks, which can lead to equally damaging outcomes, such as the disclosure of private keys or other sensitive data.
【Keywords】: Security and privacy; Software and application security; Software security engineering
【Paper Link】 【Pages】:612-626
【Authors】: Myoung Jin Nam ; Periklis Akritidis ; David J. Greaves
【Abstract】: Security mechanisms for systems programming languages, such as fine-grained memory protection for C/C++, authorize operations at runtime using access rights associated with objects and pointers. The cost of such fine-grained capability-based security models is dominated by metadata updates and lookups, making efficient metadata management the key for minimizing performance impact. Existing approaches reduce metadata management overheads by sacrificing precision, breaking binary compatibility by changing object memory layout, or wasting space with excessive alignment or large shadow memory spaces.
【Keywords】: Security and privacy; Software and application security; Systems security
【Paper Link】 【Pages】:627-637
【Authors】: Joonun Jang ; Huy Kang Kim
【Abstract】: Fuzzing is an effective method to find bugs in software. Many security communities are interested in fuzzing as an automated approach to verify software security because most of the bugs discovered by fuzzing are related to security vulnerabilities. However, not all software can be tested by fuzzing because fuzzing requires a running environment, especially an executable. Notably, in the case of libraries, most of the libraries do not have a relevant executable in practice. Thus, state-of-the-art fuzzers have a limitation to test an arbitrary library. To overcome this problem, we propose FuzzBuilder to provide an automated fuzzing environment for libraries. FuzzBuilder generates an executable that calls library API functions to enable library fuzzing. Moreover, any executable generated by FuzzBuilder is compatible with existing fuzzers such as AFL. We evaluate the overall performance of FuzzBuilder by testing open source libraries. Consequently, we discovered unknown bugs in libraries while achieving high code coverage. We believe that FuzzBuilder helps security researchers to save both setup cost and learning cost for library fuzzing.
【Keywords】: Security and privacy; Software and application security; Software security engineering
【Paper Link】 【Pages】:638-649
【Authors】: Amir Herzberg ; Yehonatan Kfir
【Abstract】: Cyber physical systems (CPS) typically contain multiple control loops, where the controllers use actuators to trigger a physical process, based on sensor readings. Attackers typically coordinate attack with multiple corrupted devices; defenses often focus on detecting this abnormal communication.
【Keywords】: Networks; Network types; Cyber-physical networks; Security and privacy; Intrusion/anomaly detection and malware mitigation; Intrusion detection systems; Security in hardware
【Paper Link】 【Pages】:650-659
【Authors】: Luis Puche Rondon ; Leonardo Babun ; Kemal Akkaya ; A. Selcuk Uluagac
【Abstract】: The High Definition Multimedia Interface (HDMI) is the backbone and the de-facto standard for Audio/Video interfacing between video-enabled devices. Today, almost tens of billions of HDMI devices exist in the world and are widely used to distribute A/V signals in smart homes, offices, concert halls, and sporting events making HDMI one of the most highly deployed systems in the world. An important component in HDMI is the Consumer Electronics Control (CEC) protocol, which allows for the interaction between devices within an HDMI distribution network. Nonetheless, existing network security mechanisms only protect traditional networking components, leaving CEC outside of their scope. In this work, we identify and tap into CEC protocol vulnerabilities, using them to implement realistic proof-of-work attacks on HDMI distribution networks. We study, how current insecure CEC protocol practices and carelessly implemented HDMI distributions may grant an adversary a novel attack surface for HDMI devices otherwise thought to be unreachable through traditional means. To introduce this novel attack surface, in this paper, we present HDMI-Walk, which opens a realm of remote and local CEC attacks to HDMI devices. Specifically, with HDMI-Walk, an attacker can perform malicious analysis of devices, eavesdropping, Denial of Service attacks, targeted device attacks, and even facilitate other well-known existing attacks through HDMI. With HDMI-Walk, we prove that it is feasible for an attacker to gain arbitrary control of HDMI devices. We demonstrate the implementations of both local and remote attacks with commodity HDMI devices including Smart TVs and Media Players. Our work aims to uncover vulnerabilities in a very well deployed system like HDMI distributions. The consequences of which can largely impact HDMI users as well as other systems which depend on these distributions. Finally, we discuss security mechanisms to provide impactful and comprehensive security evaluation to these real-world systems while guaranteeing deployability and providing minimal overhead, while considering the current limitations of the CEC protocol. To the best of our knowledge, this is the first work solely investigating the security of HDMI device distribution networks.
【Keywords】: Security and privacy; Network security; Denial-of-service attacks; Systems security; Distributed systems security
【Paper Link】 【Pages】:660-672
【Authors】: Pritam Dash ; Mehdi Karimibiuki ; Karthik Pattabiraman
【Abstract】: Robotic vehicles (RVs) are cyber-physical systems that operate in the physical world under the control of software functions. They are increasing in adoption in many industrial sectors. RVs rely on sensors and actuators for system operations and navigation. Control algorithm based estimation techniques have been used in RVs to minimize the effects of noisy sensors, prevent faulty actuator output, and recently, in detecting attacks against RVs. In this paper, we propose three kinds of attacks to evade the control-based detection techniques and cause RVs to malfunction. We also propose automated algorithms for performing the attacks without requiring the attacker to expend significant effort or know specific details of the RV, making the attacks applicable to a wide range of RVs. We demonstrate these attacks on ArduPilot simulators and two real RVs (a drone and a rover) in the presence of an Intrusion Detection System (IDS) using control estimation models to monitor the runtime behavior of the system. We find that the control models are incapable of detecting our stealthy attacks, and that the attacks can have significant adverse impact on the RV's mission (e.g., cause the RV to crash or deviate from its target significantly).
【Keywords】: Computer systems organization; Embedded and cyber-physical systems; Sensors and actuators; Security and privacy; Intrusion/anomaly detection and malware mitigation; Intrusion detection systems
【Paper Link】 【Pages】:673-686
【Authors】: Ryad Benadjila ; Arnauld Michelizza ; Mathieu Renard ; Philippe Thierry ; Philippe Trebuchet
【Abstract】: The work presented in this paper takes place in the design initiatives that have emerged to thwart BadUSB threats [59]. Though many attempts were focusing on the host side, by enhancing the operating system's USB sub-module robustness [78, 80] or by adding a proxy between the host and the device [6, 53], we have chosen to focus our efforts on the device side. More specifically, our work presents the WooKey platform, a custom highly secure USB thumb drive with mass storage capabilities, designed for user data encryption and protection, and embedding a full-fledged set of in-depth defenses. The device encloses a firmware with a secure DFU (Device Firmware Update) implementation using up-to-date cryptography as well as an external and extractable authentication token based on a secure element. The runtime software security is built upon EwoK, an innovative open source microkernel designed for microcontrollers with advanced security and performance in mind. Finally, another strength of the project is its core guiding principle: provide an open source and open hardware platform [3] using off-the-shelf components.
【Keywords】: Hardware; Printed circuit boards; PCB design and layout; Security and privacy; Security in hardware; Embedded systems security; Systems security; Operating systems security
【Paper Link】 【Pages】:687-701
【Authors】: Yuma Kurogome ; Yuto Otsuki ; Yuhei Kawakoya ; Makoto Iwamura ; Syogo Hayashi ; Tatsuya Mori ; Koushik Sen
【Abstract】: A malware signature including behavioral artifacts, namely Indicator of Compromise (IOC) plays an important role in security operations, such as endpoint detection and incident response. While building IOC enables us to detect malware efficiently and perform the incident analysis in a timely manner, it has not been fully-automated yet. To address this issue, there are two lines of promising approaches: regular expression-based signature generation and machine learning. However, each approach has a limitation in accuracy or interpretability, respectively.
【Keywords】: Security and privacy; Intrusion/anomaly detection and malware mitigation; Malware and its mitigation
【Paper Link】 【Pages】:702-717
【Authors】: Tobias Urban ; Martin Degeling ; Thorsten Holz ; Norbert Pohlmann
【Abstract】: Ad personalization has been criticized in the past for invading privacy, lack of transparency, and improper controls offered to users. Recently, companies started to provide web portals and other means for users to access data collected about them. In this paper, we study these new transparency tools from multiple perspectives using a mixed-methods approach. Still practices of data sharing barely changed until recently when new legislation required all companies to grant individual access to personal data stored about them. Using a mixed-methods approach we study the benefits of the new rights for users. First, we analyze transparency tools provided by 22 companies and check whether they follow previous recommendations for usability and user expectations. Based on these insights, we conduct a survey with 490 participants to evaluate three common approaches to disclose data. To complement this user-centric view, we shed light on the design decisions and complexities of transparency in online advertising using an online survey (n = 24) and in-person interviews (n = 8) with experts from the industry. We find that newly created transparency tools present a variety of information to users, from detailed technical logs to high-level interest segment information. Our results indicate that users do not (yet) know what to learn from the data and mistrust the accuracy of the information shown to them. At the same time, new transparency requirements pose several challenges to an industry that excessively shares data that even they sometimes cannot relate to an individual.
【Keywords】: Security and privacy; Human and societal aspects of security and privacy; Usability in security and privacy
【Paper Link】 【Pages】:718-731
【Authors】: Martin Ukrop ; Lydia Kraus ; Vashek Matyas ; Heider Ahmad Mutleq Wahsheh
【Abstract】: Flawed TLS certificates are not uncommon on the Internet. While they signal a potential issue, in most cases they have benign causes (e.g., misconfiguration or even deliberate deployment). This adds fuzziness to the decision on whether to trust a connection or not. Little is known about perceptions of flawed certificates by IT professionals, even though their decisions impact high numbers of end users. Moreover, it is unclear how much does the content of error messages and documentation influence these perceptions.
【Keywords】: Human-centered computing; Security and privacy; Human and societal aspects of security and privacy; Usability in security and privacy; Security services; Authentication
【Paper Link】 【Pages】:732-746
【Authors】: Ayako Akiyama Hasegawa ; Takuya Watanabe ; Eitaro Shioji ; Mitsuaki Akiyama
【Abstract】: Account security to protect user accounts against sensitive data breaches is a major mission for online service providers. Therefore, they exert tremendous effort in securing account authentication. Although threats from complete outsiders, such as account hijacking for monetization, still occur, recent studies have shed light on threats to privacy from insiders. This paper sheds light on the latter threats. Specifically, we present the first comprehensive study of an attack from insiders that identifies the existence of a target's account by using the target's email address and insecure login-related messages displayed. Such a threat may violate intimates' or acquaintances' privacy because the kinds of service accounts a user has implies his/her personal preferences or situation. We conducted surveys regarding user expectations and behaviors on online services and a measurement study of the login-related messages on online services that are considered sensitive. We found that over 80% of participants answered that there are sensitive services and that almost all services were vulnerable to our attack. Moreover, about half the participants who have sensitive services are insecurely registered on them and thus could be potential victims. Finally, we make recommendations on the basis of our findings for online service providers to improve login-related messages and for users to take appropriate defensive actions.
【Keywords】: Security and privacy; Human and societal aspects of security and privacy; Software and application security; Web application security
【Paper Link】 【Pages】:747-761
【Authors】: Andrea Mambretti ; Matthias Neugschwandtner ; Alessandro Sorniotti ; Engin Kirda ; William K. Robertson ; Anil Kurmus
【Abstract】: Speculative execution attacks exploit vulnerabilities at a CPU's microarchitectural level, which, until recently, remained hidden below the instruction set architecture, largely undocumented by CPU vendors. New speculative execution attacks are released on a monthly basis, showing how aspects of the so-far unexplored microarchitectural attack surface can be exploited. In this paper, we introduce, Speculator, a new tool to investigate these new microarchitectural attacks and their mitigations, which aims to be the GDB of speculative execution. Using speculative execution markers, set of instructions that we found are observable through performance counters during CPU speculation, Speculator can study microarchitectural behavior of single snippets of code, or more complex attacker and victim scenarios (e.g. Branch Target Injection (BTI) attacks). We also present our findings on multiple CPU platforms showing the precision and the flexibility offered by Speculator and its templates.
【Keywords】: Security and privacy; Security in hardware; Hardware attacks and countermeasures; Side-channel analysis and countermeasures; Hardware reverse engineering
【Paper Link】 【Pages】:762-775
【Authors】: Ronny Chevalier ; David Plaquin ; Chris I. Dalton ; Guillaume Hiet
【Abstract】: Despite the deployment of preventive security mechanisms to protect the assets and computing platforms of users, intrusions eventually occur. We propose a novel intrusion survivability approach to withstand ongoing intrusions. Our approach relies on an orchestration of fine-grained recovery and per-service responses (e.g., privileges removal). Such an approach may put the system into a degraded mode. This degraded mode prevents attackers to reinfect the system or to achieve their goals if they managed to reinfect it. It maintains the availability of core functions while waiting for patches to be deployed. We devised a cost-sensitive response selection process to ensure that while the service is in a degraded mode, its core functions are still operating. We built a Linux-based prototype and evaluated the effectiveness of our approach against different types of intrusions. The results show that our solution removes the effects of the intrusions, that it can select appropriate responses, and that it allows services to survive when reinfected. In terms of performance overhead, in most cases, we observed a small overhead, except in the rare case of services that write many small files asynchronously in a burst, where we observed a higher but acceptable overhead.
【Keywords】: Security and privacy; Intrusion/anomaly detection and malware mitigation; Malware and its mitigation; Systems security; Operating systems security
【Paper Link】 【Pages】:776-787
【Authors】: David Slater ; Scott Novotney ; Jessica Moore ; Sean Morgan ; Scott Tenaglia
【Abstract】: The acoustic emanations from keyboards provide a side-channel attack from which an attacker can recover sensitive user information, such as passwords and personally identifiable information. Previous work has shown the feasibility of these attacks given isolated key strokes, but has not demonstrated robust keystroke detection and segmentation in the presence of realistic noise and fast typing speeds. Common problems include noises like doors closing or speech as well as overlapping keystroke waveforms. Prior work has assumed that isolating the waveform of individual key strokes can be achieved with near 100% accuracy, but we show that these techniques generate a large number of misses and false positives, drastically impacting the downstream keystroke classification task.
【Keywords】: Human-centered computing; Human computer interaction (HCI); Interaction devices; Keyboards; Security and privacy; Security in hardware; Hardware attacks and countermeasures; Side-channel analysis and countermeasures
【Paper Link】 【Pages】:788-800
【Authors】: Ferdinand Brasser ; Srdjan Capkun ; Alexandra Dmitrienko ; Tommaso Frassetto ; Kari Kostiainen ; Ahmad-Reza Sadeghi
【Abstract】: Recent research has demonstrated that Intel's SGX is vulnerable to software-based side-channel attacks. In a common attack, the adversary monitors CPU caches to infer secret-dependent data accesses patterns. Known defenses have major limitations, as they require either error-prone developer assistance, incur extremely high runtime overhead, or prevent only specific attacks.
【Keywords】: Security and privacy; Security in hardware; Hardware attacks and countermeasures; Side-channel analysis and countermeasures; Systems security; Operating systems security; Trusted computing