47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017, Denver, CO, USA, June 26-29, 2017. IEEE Computer Society 【DBLP Link】
【Paper Link】 【Pages】:1-12
【Authors】: Jingwei Li ; Chuan Qin ; Patrick P. C. Lee ; Xiaosong Zhang
【Abstract】: Encrypted deduplication seamlessly combines encryption and deduplication to simultaneously achieve both data security and storage efficiency. State-of-the-art encrypted deduplication systems mostly adopt a deterministic encryption approach that encrypts each plaintext chunk with a key derived from the content of the chunk itself, so that identical plaintext chunks are always encrypted into identical ciphertext chunks for deduplication. However, such deterministic encryption inherently reveals the underlying frequency distribution of the original plaintext chunks. This allows an adversary to launch frequency analysis against the resulting ciphertext chunks, and ultimately infer the content of the original plaintext chunks. In this paper, we study how frequency analysis practically affects information leakage in encrypted deduplication storage, from both attack and defense perspectives. We first propose a new inference attack that exploits chunk locality to increase the coverage of inferred chunks. We conduct trace-driven evaluation on both real-world and synthetic datasets, and show that the new inference attack can infer a significant fraction of plaintext chunks under backup workloads. To protect against frequency analysis, we borrow the idea of existing performance-driven deduplication approaches and consider an encryption scheme called MinHash encryption, which disturbs the frequency rank of ciphertext chunks by encrypting some identical plaintext chunks into multiple distinct ciphertext chunks. Our trace-driven evaluation shows that MinHash encryption effectively mitigates the inference attack, while maintaining high storage efficiency.
【Keywords】: Encryption; Maximum likelihood estimation; Time-frequency analysis; Data models; Computer security
【Paper Link】 【Pages】:13-24
【Authors】: Jingyao Fan ; Qinghua Li ; Guohong Cao
【Abstract】: Smart meters can record fine-grained power consumption data and provide such data to the power supplier through realtime communications. Although smart meters can make power management more efficient and fault-tolerant, they also pose bigger threats to user privacy. Data from smart meters contain fine-grained power consumption information of home appliances and thus can be used to infer the ON/OFF states of home appliances. This problem has received some attention in the literature, however, most of them focus on active power based attacks. This paper focuses on reactive power and demonstrates how attackers can exploit reactive power data to infer appliance usage information. Experiments on real residential smart meter data show that our proposed attack can identify the ON/OFF events of home appliance with high accuracy. To protect users against such attacks, a novel defense technique called Reactive Power Obfuscation (RPO) is proposed. RPO can mask the true reactive power demand from the smart meter by using a capacitor to store and provide reactive power in a controlled manner. We evaluate the performance of RPO based on real household power consumption data. Evaluation results show that the ON/OFF events of home appliances can hardly be revealed from reactive power data when RPO is applied.
【Keywords】: Smart Meter; Privacy Leakage; Reactive Power
【Paper Link】 【Pages】:25-36
【Authors】: Guosai Wang ; Lifei Zhang ; Wei Xu
【Abstract】: Hardware failures have a big impact on the dependability of large-scale data centers. We present studies on over 290,000 hardware failure reports collected over the past four years from dozens of data centers with hundreds of thousands of servers. We examine the dataset statistically to discover failure characteristics along the temporal, spatial, product line and component dimensions. We specifically focus on the correlations among different failures, including batch and repeating failures, as well as the human operators' response to the failures. We reconfirm or extend findings from previous studies. We also find many new failure and recovery patterns that are the undesirable by-product of the state-of-the-art data center hardware and software design.
【Keywords】: Hardware; Servers; Frequency modulation; Maintenance engineering; Companies; Electric breakdown
【Paper Link】 【Pages】:37-48
【Authors】: Paulo R. Coelho ; Nicolas Schiper ; Fernando Pedone
【Abstract】: Atomic multicast is a communication building block of scalable and highly available applications. With atomic multicast, messages can be ordered and reliably propagated to one or more groups of server processes. Because each message can be multicast to a different set of destinations, distributed message ordering is challenging. Some atomic multicast protocols address this challenge by ordering all messages using a fixed group of processes, regardless of the destination of the messages. To be efficient, however, an atomic multicast protocol must be genuine: only the message sender and destination groups should communicate to order a message. In this paper, we present FastCast, a genuine atomic multicast algorithm that offers unprecedented low time complexity, measured in communication delays. FastCast can order messages addressed to multiple groups in four communication delays, messages addressed to a single group take three communication delays. In addition to proposing a novel atomic multicast protocol, we extensively assess its performance experimentally.
【Keywords】: distributed systems; algorithm; cloud computing; group communication
【Paper Link】 【Pages】:49-60
【Authors】: Balaji Arun ; Sebastiano Peluso ; Roberto Palmieri ; Giuliano Losa ; Binoy Ravindran
【Abstract】: This paper proposes CAESAR, a novel multi-leader Generalized Consensus protocol for geographically replicated sites. The main goal of CAESAR is to overcome one of the major limitations of existing approaches, which is the significant performance degradation when application workload produces conflicting requests. CAESAR does that by changing the way a fast decision is taken: its ordering protocol does not reject a fast decision for a client request if a quorum of nodes reply with different dependency sets for that request. The effectiveness of CAESAR is demonstrated through an evaluation study performed on Amazon's EC2 infrastructure using 5 geo-replicated sites. CAESAR outperforms other multi-leader (e.g., EPaxos) competitors by as much as 1.7x in the presence of 30% conflicting requests, and single-leader (e.g., Multi-Paxos) by up to 3.5x.
【Keywords】: Consensus; Geo-Replication; Paxos
【Paper Link】 【Pages】:61-72
【Authors】: Sisi Duan ; Michael K. Reiter ; Haibin Zhang
【Abstract】: We revisit the problem of preserving causality in Byzantine fault-tolerant (BFT) atomic broadcast protocols, a requirement first proposed by Reiter and Birman (TOPLAS 1994). While over the past three decades, this requirement has been met through the deployment of expensive public-key threshold cryptosystems, we propose three novel, secure causal BFT protocols without using public-key cryptography. We implement and evaluate these protocols, showing that they significantly outperform existing constructions that use threshold cryptosystems.
【Keywords】: Protocols; Encryption; Servers; Fault tolerance; Fault tolerant systems; Computer crashes
【Paper Link】 【Pages】:73-84
【Authors】: Meng Wang ; Huixiang Chen ; Tao Li
【Abstract】: Nowadays, mobile devices are pervasively used by almost everyone. The majority of mobile devices use embedded-Multi Media Cards (eMMC) as storage. However, the crash-proof mechanism of existing I/O stack has not fully exploited the features of eMMC. In some real usage scenarios, the legacy data persistence procedure may dramatically degrade performance of the system. In response to this, this paper exploits the hardware features of eMMC to improve the efficiency of data persistence while preserving the reliability of current mobile systems. We characterize the existing data persistence scheme and observe that the hardware-agnostic design generates excessive non-critical data and adds expensive barriers in data persistence paths. We alleviate these overheads by leveraging eMMC features. Based on evaluations on real systems, our optimizations achieve 5%-31% performance improvement across a wide range of mobile apps.
【Keywords】: mobile system; storage; crash consistency; file system journaling; I/O performance; eMMC
【Paper Link】 【Pages】:85-96
【Authors】: Amin Jadidi ; Mohammad Arjomand ; Mohammad Khavari Tavana ; David R. Kaeli ; Mahmut T. Kandemir ; Chita R. Das
【Abstract】: Limited write endurance is the main obstacle standing in the way of using phase change memory (PCM) in future computing systems. While several wear-leveling and hard-error tolerant techniques have been proposed for improving PCM lifetime, most of these approaches assume that the underlying memory uses a very simple write traffic reduction scheme (e.g., buffering, differential writes). In particular, most PCM prototypes/chips are equipped with an embedded circuit to support differential writes (DW) - on a write, only the bits that differ between the old and new data are updated. With DW, the bit-pattern of updates in a memory block is usually random, which limits the opportunity to exploit the resulting bit pattern for lifetime enhancement at an architecture level (e.g., using techniques such as wear-leveling and hard-error tolerance). This paper focuses on this inefficiency and proposes a solution based on data compression. Employing compression can improve the lifetime of the PCM memory. Using state-of-the-art compression schemes, the size of the compressed data is usually much smaller than the original data written back to memory from the last-level cache on an eviction. By storing data in a compressed format in the target memory block, first, we limit the number of bit flips to fewer memory cells, enabling more efficient intra-line wear-leveling and error recovery, and second, the unused bits in the memory block can be reused as replacements for faulty bits given the reduced size of the (compressed) data. It can also happen that for a portion of the memory blocks, the resulting compressed data is not very small. This can be due to increased data entropy introduced by compression, where the total number of bit flips will be increased over the baseline system. In this paper, we present an approach that provides collaborative operation of data compression, differential writes, wear-leveling and hard-error tolerant techniques targeting PCM memories. We propose approaches that reap the maximum benefits from compression, while also enjoying the benefits of techniques that reduce the number of high-entropy writes. Using an approach that combines different solutions, our mechanism tolerates 2.9× more cell failures per memory line and achieves a 4.3× increase in PCM memory lifetime, relative to our baseline state-of-the-art PCM DIMM memory.
【Keywords】: Resistive memory; hard-error tolerance; compression; phase change memory
【Paper Link】 【Pages】:97-108
【Authors】: Behrooz Sangchoolie ; Karthik Pattabiraman ; Johan Karlsson
【Abstract】: Recent studies have shown that technology and voltage scaling are expected to increase the likelihood that particle-induced soft errors manifest as multiple-bit errors. This raises concerns about the validity of using single bit-flips for assessing the impact of soft errors in fault injection experiments. The goal of this paper is to investigate whether multiple-bit errors could cause a higher percentage of silent data corruptions (SDCs) compared to single-bit errors. Based on 2700 fault injection campaigns with 15 benchmark programs, featuring a total of 27 million experiments, our results show that single-bit errors in most cases yields a higher percentage of SDCs compared to multiple-bit errors. However, in 8% of the campaigns we observed a higher percentage of SDCs for multiple-bit errors. For most of these campaigns, the highest percentage of SDCs was obtained by flipping at most 3 bits. Moreover, we propose three ways of pruning the error space based on the results.
【Keywords】: fault injection; transient hardware faults; single/multiple bit-flip errors; error space pruning
【Paper Link】 【Pages】:109-120
【Authors】: Fan Yao ; Yongbo Li ; Yurong Chen ; Hongfa Xue ; Tian Lan ; Guru Venkataramani
【Abstract】: Identifying vulnerabilities in software systems is crucial to minimizing the damages that result from malicious exploits and software failures. This often requires proper identification of vulnerable execution paths that contain program vulnerabilities or bugs. However, with rapid rise in software complexity, it has become notoriously difficult to identify such vulnerable paths through exhaustively searching the entire program execution space. In this paper, we propose StatSym, a novel, automated Statistics-Guided Symbolic Execution framework that integrates the swiftness of statistical inference and the rigorousness of symbolic execution techniques to achieve precision, agility and scalability in vulnerable program path discovery. Our solution first leverages statistical analysis of program runtime information to construct predicates that are indicative of potential vulnerability in programs. These statistically identified paths, along with the associated predicates, effectively drive a symbolic execution engine to verify the presence of vulnerable paths and reduce their time to solution. We evaluate StatSym on four real-world applications including polymorph, CTree, Grep and thttpd that come from diverse domains. Results show that StatSym is able to assist the symbolic executor, KLEE, in identifying the vulnerable paths for all of the four cases, whereas pure symbolic execution fails in three out of four applications due to memory space overrun.
【Keywords】: Statistics-guided symbolic execution; program debugging; security; vulnerable path discovery
【Paper Link】 【Pages】:121-132
【Authors】: Ilya Tuzov ; David de Andrés ; Juan Carlos Ruiz
【Abstract】: This paper studies the impact of logical synthesizers parameters on the performance, power-consumption, area (PPA) and dependability of HW implementations. Deducing optimal synthesis-parameter configurations attending to specific goals is challenging even for simple HW models. The proposal relies on fractional factorial design of experiments to minimize simulation-based fault-injection time. The set of synthesis parameters with an statistically significant impact on PPA and dependability goals is then deduced and regression models are generated to estimate such impact for any synthesis-parameter configuration. Optimal configurations are finally selected attending to specific implementation goals. The whole methodology is automated and applied onto the Xilinx XST synthesizer working on a simplex and TMR version of an enhanced Intel 8051 microcontroller model, but it can be potentially applied to any synthesizer and any HDL-based model. Results show that non-negligible benefits in terms of PPA and dependability can be obtained by simply tuning synthesizer parameters in a proper way.
【Keywords】: Tools; Space exploration; Synthesizers; Proposals; Table lookup; Analytical models; Robustness
【Paper Link】 【Pages】:133-144
【Authors】: Qixue Xiao ; Yu Chen ; Chengang Wu ; Kang Li ; Junjie Mao ; Shize Guo ; Yuanchun Shi
【Abstract】: The study of software bugs has long been a key area in software security. Dynamic symbolic execution, in exploring the program's execution paths, finds bugs by analyzing all potential dangerous operations. Due to its high coverage and abilities to generate effective testcases, dynamic symbolic execution has attracted wide attention in the research community. However, the success of dynamic symbolic execution is limited due to complex program logic and its difficulty to handle large symbolic data. In our experiments we found that phase-related features of a program often prevents dynamic symbolic execution from exploring deep paths. On the basis of this discovery, we proposed a novel symbolic execution technology guided by program phase characteristics. Compared to KLEE, the most well-known symbolic execution approach, our method is capable of covering more code and discovering more bugs. We designed and implemented pbSE system, which was used to test several commonly used tools and libraries in Linux. Our results showed that pbSE on average covers code twice as much as what KLEE does, and we discovered 21 previously unknown vulnerabilities by using pbSE, out of which 7 are assigned CVE IDs.
【Keywords】: Concrete; Computer bugs; Software; Tools; Security; Explosions; Libraries
【Paper Link】 【Pages】:145-156
【Authors】: Chen Tian ; Yazhe Wang ; Peng Liu ; Qihui Zhou ; Chengyi Zhang ; Zhen Xu
【Abstract】: Third-party IME (Input Method Editor) apps are often the preference means of interaction for Android users' input. In this paper, we first discuss the insecurity of IME apps, including the Potentially Harmful Apps (PHA) and malicious IME apps, which may leak users' sensitive keystrokes. The current defense system, such as I-BOX, is vulnerable to the prefix-substitution attack and the colluding attack due to the post-IME nature. We provide a deeper understanding that all the designs with the post-IME nature are subject to the prefix-substitution and colluding attacks. To remedy the above post-IME system's flaws, we propose a new idea, pre-IME, which guarantees that "Is this touch event a sensitive keystroke?" analysis will always access user touch events prior to the execution of any IME app code. We designed an innovative TrustZone-based framework named IM-Visor which has the pre-IME nature. Specifically, IM-Visor creates the isolation environment named STIE as soon as a user intends to type on a soft keyboard, then the STIE intercepts, translates and analyzes the user's touch input. If the input is sensitive, the translation of keystrokes will be delivered to user apps through a trusted path. Otherwise, IM-Visor replays non-sensitive keystroke touch events for IME apps or replays non-keystroke touch events for other apps. A prototype of IM-Visor has been implemented and tested with several most popular IMEs. The experimental results show that IM-Visor has small runtime overheads.
【Keywords】: Androids; Humanoid robots; Keyboards; Runtime; Smart phones; Security
【Paper Link】 【Pages】:157-168
【Authors】: Marcus Brandenburger ; Christian Cachin ; Matthias Lorenz ; Rüdiger Kapitza
【Abstract】: Novel hardware-aided trusted execution environments, as provided by Intel's Software Guard Extensions (SGX), enable to execute applications in a secure context that enforces confidentiality and integrity of the application state even when the host system is misbehaving. While this paves the way towards secure and trustworthy cloud computing, essential system support to protect persistent application state against rollback and forking attacks is missing. In this paper we present LCM - a lightweight protocol to establish a collective memory amongst all clients of a remote application to detect integrity and consistency violations. LCM enables the detection of rollback attacks against the remote application, enforces the consistency notion of fork-linearizability and notifies clients about operation stability. The protocol exploits the trusted execution environment, complements it with simple client-side operations, and maintains only small, constant storage at the clients. This simplifies the solution compared to previous approaches, where the clients had to verify all operations initiated by other clients. We have implemented LCM and demonstrated its advantages with a key-value store application. The evaluation shows that it introduces low network and computation overhead, in particular, a LCM-protected key-value store achieves 0.72x - 0.98x of an SGX-secured key-value store throughput.
【Keywords】: Servers; Protocols; Radiation detectors; Computer crashes; Cloud computing; Cryptography; Nonvolatile memory
【Paper Link】 【Pages】:169-180
【Authors】: Bruno Vavala ; Nuno Ferreira Neves ; Peter Steenkiste
【Abstract】: Outsourcing services to third-party providers comes with a high security cost-to fully trust the providers. Using trusted hardware can help, but current trusted execution environments do not adequately support services that process very large scale datasets. We present LASTGT, a system that bridges this gap by supporting the execution of self-contained services over a large state, with a small and generic trusted computing base (TCB). LASTGT uses widely deployed trusted hardware to guarantee integrity and verifiability of the execution on a remote platform, and it securely supplies data to the service through simple techniques based on virtual memory. As a result, LASTGT is general and applicable to many scenarios such as computational genomics and databases, as we show in our experimental evaluation based on an implementation of LAST-GT on a secure hypervisor. We also describe a possible implementation on Intel SGX.
【Keywords】: trusted computing; secure execution; large-scale data; secure virtual memory
【Paper Link】 【Pages】:181-188
【Authors】: Hui Xu ; Yangfan Zhou ; Yu Kang ; Michael R. Lyu
【Abstract】: Concolic execution has achieved great success in many binary analysis tasks. However, it is still not a primary option for industrial usage. A well-known reason is that concolic execution cannot scale up to large-size programs. Many research efforts have focused on improving its scalability. Nonetheless, we find that, even when processing small-size programs, concolic execution suffers a great deal from the accuracy and scalability issues. This paper systematically investigates the challenges that can be introduced even by small-size programs, such as symbolic array and symbolic jump. We further verify that the proposed challenges are non-trivial via real-world experiments with three most popular concolic execution tools: BAP, Triton, and Angr. Among a set of 22 logic bombs we designed, Angr can solve only four cases correctly, while BAP and Triton perform much worse. The results imply that current tools are still primitive for practical industrial usage. We summarize the reasons and release the bombs as open source to facilitate further study.
【Keywords】: concolic execution
【Paper Link】 【Pages】:189-200
【Authors】: Benjamin Kollenda ; Enes Göktas ; Tim Blazytko ; Philipp Koppe ; Robert Gawlik ; Radhesh Krishnan Konoth ; Cristiano Giuffrida ; Herbert Bos ; Thorsten Holz
【Abstract】: Many modern defenses rely on address space layout randomization (ASLR) to efficiently hide security-sensitive metadata in the address space. Absent implementation flaws, an attacker can only bypass such defenses by repeatedly probing the address space for mapped (security-sensitive) regions, incurring a noisy application crash on any wrong guess. Recent work shows that modern applications contain idioms that allow the construction of crash-resistant code primitives, allowing an attacker to efficiently probe the address space without causing any visible crash. In this paper, we classify different crash-resistant primitives and show that this problem is much more prominent than previously assumed. More specifically, we show that rather than relying on labor-intensive source code inspection to find a few "hidden" application-specific primitives, an attacker can find such primitives semi-automatically, on many classes of real-world programs, at the binary level. To support our claims, we develop methods to locate such primitives in real-world binaries. We successfully identified 29 new potential primitives and constructed proof-of-concept exploits for four of them.
【Keywords】: Computer crashes; Servers; Resistance; Probes; Metadata; Entropy; Layout
【Paper Link】 【Pages】:201-212
【Authors】: Rui Qiao ; R. Sekar
【Abstract】: Function recognition is one of the key tasks in binary analysis, instrumentation and reverse engineering. Previous approaches for this problem have relied on matching code patterns commonly observed at the beginning and end of functions. While early efforts relied on compiler idioms and expert-identified patterns, more recent works have systematized the process using machine-learning techniques. In contrast, we develop a novel static analysis based method in this paper. In particular, we combine a low-level technique for enumerating candidate functions with a novel static analysis for determining if these candidates exhibit the properties associated with a function interface. Both control-flow properties (e.g., returning to the location at the stack top at the function entry point) and data-flow properties (e.g., parameter passing via registers and the stack, and the degree of adherence to application-binary interface conventions) are checked. Our approach achieves an F1-score above 99% across a broad range of programs across multiple languages and compilers. More importantly, it achieves a 4× or higher reduction in error rate over best previous results.
【Keywords】: Optimization; Error analysis; Instruments; Registers; Robustness; Pattern matching
【Paper Link】 【Pages】:213-224
【Authors】: Bernardo Ferreira ; João Leitão ; Henrique Domingos
【Abstract】: In this paper we propose MIE, a Multimodal Indexable Encryption framework that for the first time allows mobile applications to securely outsource the storage and search of their multimodal data (i.e. data containing multiple media formats) to public clouds with privacy guarantees. MIE is designed as a distributed framework architecture, leveraging on shared cloud repositories that can be accessed simultaneously by multiple users. At its core MIE relies on Distance Preserving Encodings (DPE), a novel family of encoding algorithms with cryptographic properties that we also propose. By applying DPE to multimodal data features, MIE enables high-cost clustering and indexing operations to be handled by cloud servers in a privacy-preserving way. Experiments show that MIE achieves better performance and scalability when compared with the state of art, with measurable impact on mobile resources and battery life.
【Keywords】: Cloud computing; Media; Encryption; Mobile handsets; Encoding; Indexing
【Paper Link】 【Pages】:225-236
【Authors】: Jinyu Gu ; Zhichao Hua ; Yubin Xia ; Haibo Chen ; Binyu Zang ; Haibing Guan ; Jinming Li
【Abstract】: The recent commercial availability of Intel SGX (Software Guard eXtensions) provides a hardware-enabled building block for secure execution of software modules in an untrusted cloud. As an untrusted hypervisor/OS has no access to an enclave's running states, a VM (virtual machine) with enclaves running inside loses the capability of live migration, a key feature of VMs in the cloud. This paper presents the first study on the support for live migration of SGX-capable VMs. We identify the security properties that a secure enclave migration process should meet and propose a software-based solution. We leverage several techniques such as two-phase checkpointing and self-destroy to implement our design on a real SGX machine. Security analysis confirms the security of our proposed design and performance evaluation shows that it incurs negligible performance overhead. Besides, we give suggestions on the future hardware design for supporting transparent enclave migration.
【Keywords】: Program processors; Hardware; Security; Virtual machine monitors; Cloud computing; Context
【Paper Link】 【Pages】:237-248
【Authors】: Xing Gao ; Zhongshu Gu ; Mehmet Kayaalp ; Dimitrios Pendarakis ; Haining Wang
【Abstract】: Container technology provides a lightweight operating system level virtual hosting environment. Its emergence profoundly changes the development and deployment paradigms of multi-tier distributed applications. However, due to the incomplete implementation of system resource isolation mechanisms in the Linux kernel, some security concerns still exist for multiple containers sharing an operating system kernel on a multi-tenancy container cloud service. In this paper, we first present the information leakage channels we discovered that are accessible within the containers. Such channels expose a spectrum of system-wide host information to the containers without proper resource partitioning. By exploiting such leaked host information, it becomes much easier for malicious adversaries (acting as tenants in the container clouds) to launch advanced attacks that might impact the reliability of cloud services. Additionally, we discuss the root causes of the containers' information leakages and propose a two-stage defense approach. As demonstrated in the evaluation, our solution is effective and incurs trivial performance overhead.
【Keywords】: Containers; Kernel; Linux; Cloud computing; Servers; Security
【Paper Link】 【Pages】:249-260
【Authors】: Seunghyeon Lee ; Jinwoo Kim ; Seungwon Shin ; Phillip A. Porras ; Vinod Yegneswaran
【Abstract】: Network-based anomaly detection is a well-mined area of research, with many projects that have produced algorithms to detect suspicious and anomalous activities at strategic points in a network. In this paper, we examine how to integrate an anomaly detection development framework into existing software-defined network (SDN) infrastructures to support sophisticated anomaly detection services across the entire network data plane, not just at network egress boundaries. We present Athena as a new SDN-based software solution that exports a well-structured development interface and provides general purpose functions for rapidly synthesizing a wide range of anomaly detection services and network monitoring functions with minimal programming effort. Athena is a fully distributed application hosting architecture, enabling a unique degree of scalability from prior SDN security monitoring and analysis projects. We discuss example use-case scenarios with Athena's development libraries, and evaluate system performance with respect to usability, scalability, and overhead in real world environments.
【Keywords】: Anomaly detection; Feature extraction; Monitoring; Distributed databases; Detectors; Algorithm design and analysis; Control systems
【Paper Link】 【Pages】:261-272
【Authors】: Cheng Feng ; Tingting Li ; Deeph Chana
【Abstract】: We outline an anomaly detection method for industrial control systems (ICS) that combines the analysis of network package contents that are transacted between ICS nodes and their time-series structure. Specifically, we take advantage of the predictable and regular nature of communication patterns that exist between so-called field devices in ICS networks. By observing a system for a period of time without the presence of anomalies we develop a base-line signature database for general packages. A Bloom filter is used to store the signature database which is then used for package content level anomaly detection. Furthermore, we approach time-series anomaly detection by proposing a stacked Long Short Term Memory (LSTM) network-based softmax classifier which learns to predict the most likely package signatures that are likely to occur given previously seen package traffic. Finally, by the inspection of a real dataset created from a gas pipeline SCADA system, we show that an anomaly detection scheme combining both approaches can achieve higher performance compared to various current state-of-the-art techniques.
【Keywords】: industrial control systems; anomaly detection; signature database; long short term memory networks; Bloom filters
【Paper Link】 【Pages】:273-284
【Authors】: Jinyuan Jia ; Binghui Wang ; Neil Zhenqiang Gong
【Abstract】: Online social networks are known to be vulnerable to the so-called Sybil attack, in which an attacker maintains massive fake accounts (also called Sybils) and uses them to perform various malicious activities. Therefore, Sybil detection is a fundamental security research problem in online social networks. Random walk based methods, which leverage the structure of an online social network to distribute reputation scores for users, have been demonstrated to be promising in certain real-world online social networks. In particular, random walk based methods have three desired features: they can have theoretically guaranteed performance for online social networks that have the fast-mixing property, they are accurate when the social network has strong homophily property, and they can be scalable to large-scale online social networks. However, existing random walk based methods suffer from several key limitations: (1) they can only leverage either labeled benign users or labeled Sybils, but not both, (2) they have limited detection accuracy for weak-homophily social networks, and (3) they are not robust to label noise in the training dataset. In this work, we propose a new random walk based Sybil detection method called SybilWalk. SybilWalk addresses the limitations of existing random walk based methods while maintaining their desired features. We perform both theoretical and empirical evaluations to compare SybilWalk with previous random walk based methods. Theoretically, for online social networks with the fast-mixing property, SybilWalk has a tighter asymptotical bound on the number of Sybils that are falsely accepted into the social network than all existing random walk based methods. Empirically, we compare SybilWalk with previous random walk based methods using both social networks with synthesized Sybils and a large-scale Twitter dataset with real Sybils. Our empirical results demonstrate that (1) SybilWalk is substantially more accurate than existing random walk based methods for weakhomophily social networks, (2) SybilWalk is substantially more robust to label noise than existing random walk based methods, and (3) SybilWalk is as scalable as the most efficient existing random walk based methods. In particular, on the Twitter dataset, SybilWalk achieves a false positive rate of 1.3% and a false negative rate of 17.3%.
【Keywords】: Robustness; Training; Twitter; Image edge detection; Random variables; Security
【Paper Link】 【Pages】:285-296
【Authors】: Zhili Chen ; Lin Chen ; Hong Zhong
【Abstract】: Database-driven spectrum access is regarded as an effective spectrum redistribution mechanism. However, dialoguing with the spectrum database requires both primary and secondary users to reveal their sensitive data to the spectrum database manager (SDM), leading to serious privacy concerns. In this paper, we show that the SDM can perform database operations (both updates and queries) without knowing any information about the users' sensitive inputs and the database contents, by combining garbled circuits and secret sharing. Our design uses data-oblivious sorting networks to leverage parallelism of query operations, yielding an efficient query algorithm. We further combine secure computations with authentication techniques to get a verification mechanism for correctness checking. As far as we know, our proposal is the first secure and verifiable database-driven spectrum sharing scheme protecting both primary users' (PUs') and secondary users' (SUs') privacies. Finally, we fully implement our system, and demonstrate that even on commodity PC, our implementation suffers mild performance overhead.
【Keywords】: Databases; Protocols; Data privacy; Cryptography; Privacy; Algorithm design and analysis
【Paper Link】 【Pages】:297-308
【Authors】: Wei-Han Lee ; Ruby B. Lee
【Abstract】: Authentication of smartphone users is important because a lot of sensitive data is stored in the smartphone and the smartphone is also used to access various cloud data and services. However, smartphones are easily stolen or co-opted by an attacker. Beyond the initial login, it is highly desirable to re-authenticate end-users who are continuing to access security-critical services and data. Hence, this paper proposes a novel authentication system for implicit, continuous authentication of the smartphone user based on behavioral characteristics, by leveraging the sensors already ubiquitously built into smartphones. We propose novel context-based authentication models to differentiate the legitimate smartphone owner versus other users. We systematically show how to achieve high authentication accuracy with different design alternatives in sensor and feature selection, machine learning techniques, context detection and multiple devices. Our system can achieve excellent authentication performance with 98.1% accuracy with negligible system overhead and less than 2.4% battery consumption.
【Keywords】: Security; Privacy; Smartphone; Smartwatch; Machine Learning; Sensors; Authentication; Context
【Paper Link】 【Pages】:309-320
【Authors】: Wei-Han Lee ; Ruby B. Lee
【Abstract】: Authentication of smartphone users is important because a lot of sensitive data is stored in the smartphone and the smartphone is also used to access various cloud data and services. However, smartphones are easily stolen or co-opted by an attacker. Beyond the initial login, it is highly desirable to re-authenticate end-users who are continuing to access security-critical services and data. Hence, this paper proposes a novel authentication system for implicit, continuous authentication of the smartphone user based on behavioral characteristics, by leveraging the sensors already ubiquitously built into smartphones. We propose novel context-based authentication models to differentiate the legitimate smartphone owner versus other users. We systematically show how to achieve high authentication accuracy with different design alternatives in sensor and feature selection, machine learning techniques, context detection and multiple devices. Our system can achieve excellent authentication performance with 98.1% accuracy with negligible system overhead and less than 2.4% battery consumption.
【Keywords】: Security; Privacy; Smartphone; Smartwatch; Machine Learning; Sensors; Authentication
【Paper Link】 【Pages】:321-332
【Authors】: Varun Badrinath Krishna ; Michael Rausch ; Benjamin E. Ujcich ; Indranil Gupta ; William H. Sanders
【Abstract】: Wireless sensor networks (WSNs) should collect accurate readings to reliably capture an environment's state. However, readings may become erroneous because of sensor hardware failures or degradation. In remote deployments, centrally detecting those reading errors can result in many message transmissions, which in turn dramatically decreases sensor battery life. In this paper, we address this issue through three main contributions. First, we propose REMAX, a peer-to-peer (P2P) error detection protocol that extends the WSN's life by minimizing message transmissions. Second, we propose a low-overhead error detection approach that helps minimize communication complexity. Third, we evaluate our approach via a trace-driven, discrete-event simulator, using two datasets from real WSN deployments that measure indoor air temperature and seismic wave amplitude. Our results show that REMAX can accurately detect errors and extend the WSN's reachability (effective lifetime) compared to the centralized approach.
【Keywords】: reachability; energy; optimal; wireless; sensor; networks; error; anomaly; detection; bivariate; isocontour; efficient; WSN; message; transmission
【Paper Link】 【Pages】:333-344
【Authors】: Rainer Schiekofer ; Johannes Behl ; Tobias Distler
【Abstract】: Coordination services are essential building blocks of today's data centers as they provide processes of distributed applications with means to reliably exchange data. Consequently, coordination services must deliver high performance to ensure that they do not become a bottleneck for the applications depending on them. Unfortunately, the design of existing services such as ZooKeeper prevents them from scaling with the number of cores on a machine. In this paper, we address this problem with Agora, a high-performance coordination service that is able to both effectively and efficiently utilize multi-core machines. Agora relies on a primary-backup replication architecture that partitions the workload on each server to achieve parallelism while still providing similar consistency guarantees as ZooKeeper. Our evaluation shows that Agora scales with the number of cores and thus can fully utilize the network resources available.
【Keywords】: Dependability; high performance; coordination service; multi-cores; primary-backup replication; consistency; efficiency
【Paper Link】 【Pages】:345-356
【Authors】: Yvonne Anne Pignolet ; Stefan Schmid ; Gilles Trédan
【Abstract】: Reliable and highly available computer networks must implement resilient fast rerouting mechanisms: upon a link or node failure, an alternative route is determined quickly, without involving the network control plane. Designing such fast failover mechanisms capable of dealing with multiple concurrent failures however is challenging, as failover rules need to be installed proactively, i.e., ahead of time, without knowledge of the actual failures happening at runtime. Indeed, only little is known today about the design of resilient routing algorithms. This paper presents a deterministic local failover mechanism which we prove to result in a minimum network load for a wide range of communication patterns, solving an open problem. Our mechanism relies on the key insight that resilient routing essentially constitutes a distributed algorithm without coordination. Accordingly, we build upon the theory of combinatorial designs and develop a novel deterministic failover mechanism based on symmetric block design theory which tolerates a maximal number of Ω(n) link failures in an n-node network and in the worst-case, while always ensuring routing connectivity. In particular, we show that at least Ω(φ2) link failures are needed to generate a maximum link load of at least φ, which matches an existing bound on the number of link failures needed for an optimal failover scheme. We complement our formal analysis with simulations, showing that our approach outperforms prior schemes not only in the worst-case.
【Keywords】: Routing; Tagging; Computer networks; Control systems; Ports (Computers); Computational modeling; Load modeling
【Paper Link】 【Pages】:357-366
【Authors】: Julia Lawall ; Gilles Muller
【Abstract】: The Linux kernel is highly configurable, and thus, in principle, any line of code can be included or excluded from the compiled kernel based on configuration operations. Configurability complicates the task of a kernel janitor, who cleans up faults across the code base. A janitor may not be familiar with the configuration options that trigger compilation of a particular code line, leading him to believe that a fix has been compile-checked when this is not the case. We propose JMake, a mutation-based tool for signaling changed lines that are not subjected to the compiler. JMake shows that for most of the 12,000 file-modifying commits between Linux v4.3 and v4.4 the configuration chosen by the kernel allyesconfig option is sufficient, once the janitor chooses the correct architecture. For most commits, this check requires only 30 seconds or less. We then characterize the situations in which changed code is not subjected to compilation in practice.
【Keywords】: Linux kernel; configurability; variability; compilation
【Paper Link】 【Pages】:367-378
【Authors】: Amit Klein ; Haya Shulman ; Michael Waidner
【Abstract】: Domain Name System (DNS) is a fundamental element of the Internet providing lookup services for end users as well as for a multitude of applications, systems and security mechanisms that depend on DNS, such as antispam defences, routing security, firewalls, certificates and more. Caches constitute a critical component of DNS, allowing to improve efficiency and reduce latency and traffic in the Internet. Understanding the behaviour, configurations and topologies of caches in the DNS platforms in the Internet is important for efficiency and security of Internet users and services. In this work we present methodologies for efficiently discovering and enumerating the caches of the DNS resolution platforms in the Internet. We apply our techniques and methodologies for studying caches in popular DNS resolution platforms in the Internet. Our study includes networks of major ISPs, enterprises and professionally managed open DNS resolvers. The results of our Internet measurements shed light on architectures and configurations of the caches in DNS resolution platforms.
【Keywords】: Internet; Security; IP networks; Tools; Software; Data collection; Current measurement
【Paper Link】 【Pages】:379-390
【Authors】: Marcello Cinque ; Raffaele Della Corte ; Antonio Pecchia
【Abstract】: Critical information systems strongly rely on event logging techniques to collect data, such as housekeeping/error events, execution traces and dumps of variables, into unstructured text logs. Event logs are the primary source to gain actionable intelligence from production systems. In spite of the recognized importance, system/application logs remain quite underutilized in security analytics when compared to conventional and structured data sources, such as audit traces, network flows and intrusion detection logs. This paper proposes a method to measure the occurrence of interesting activity (i.e., entries that should be followed up by analysts) within textual and heterogeneous runtime log streams. We use an entropy-based approach, which makes no assumptions on the structure of underlying log entries. Measurements have been done in a real-world Air Traffic Control information system through a data analytics framework. Experiments suggest that our entropy-based method represents a valuable complement to security analytics solutions.
【Keywords】: Event logging; security; log analytics; filtering; information systems
【Paper Link】 【Pages】:391-402
【Authors】: Babak Rahbarinia ; Marco Balduzzi ; Roberto Perdisci
【Abstract】: In this paper, we present a large-scale study of global trends in software download events, with an analysis of both benign and malicious downloads, and a categorization of events for which no ground truth is currently available. Our measurement study is based on a unique, real-world dataset collected at Trend Micro containing more than 3 million in-the-wild web-based software download events involving hundreds of thousands of Internet machines, collected over a period of seven months. Somewhat surprisingly, we found that despite our best efforts and the use of multiple sources of ground truth, more than 83% of all downloaded software files remain unknown, i.e. cannot be classified as benign or malicious, even two years after they were first observed. If we consider the number of machines that have downloaded at least one unknown file, we find that more than 69% of the entire machine/user population downloaded one or more unknown software file. Because the accuracy of malware detection systems reported in the academic literature is typically assessed only over software files that can be labeled, our findings raise concerns on their actual effectiveness in large-scale real-world deployments, and on their ability to defend the majority of Internet machines from infection. To better understand what these unknown software files may be, we perform a detailed analysis of their properties. We then explore whether it is possible to extend the labeling of software downloads by building a rule-based system that automatically learns from the available ground truth and can be used to identify many more benign and malicious files with very high confidence. This allows us to greatly expand the number of software files that can be labeled with high confidence, thus providing results that can benefit the evaluation of future malware detection systems.
【Keywords】: Malware; measurement study; machine learning; rule-based classification; large-scale data analysis
【Paper Link】 【Pages】:403-414
【Authors】: Yeonjoon Lee ; Tongxin Li ; Nan Zhang ; Soteris Demetriou ; Mingming Zha ; XiaoFeng Wang ; Kai Chen ; Xiao-yong Zhou ; Xinhui Han ; Michael Grace
【Abstract】: Android allows developers to build apps with app installation functionality themselves with minimal restriction and support like any other functionalities. Given the critical importance of app installation, the security implications of the approach can be significant. This paper reports the first systematic study on this issue, focusing on the security guarantees of different steps of the App Installation Transaction (AIT). We demonstrate the serious consequences of leaving AIT development to individual developers: most installers (e.g., Amazon AppStore, DTIgnite, Baidu) are riddled with various security-critical loopholes, which can be exploited by attackers to silently install any apps, acquiring dangerous-level permissions or even unauthorized access to system resources. Surprisingly, vulnerabilities were found in all steps of AIT. The attacks we present, dubbed Ghost Installer Attack (GIA), are found to pose a realistic threat to Android ecosystem. Further, we developed both a user-app-level and a system-level defense that are innovative and practical.
【Keywords】: Androids; Humanoid robots; Security; Google; Smart phones; Systematics; Fasteners
【Paper Link】 【Pages】:415-426
【Authors】: Zhengyang Qu ; Shahid Alam ; Yan Chen ; Xiaoyong Zhou ; Wangjun Hong ; Ryan Riley
【Abstract】: Android has provided dynamic code loading (DCL) since API level one. DCL allows an app developer to load additional code at runtime. DCL raises numerous challenges with regards to security and accountability analysis of apps. While previous studies have investigated DCL on Android, in this paper we formulate and answer three critical questions that are missing from previous studies: (1) Where does the loaded code come from (remotely fetched or locally packaged), and who is the responsible entity to invoke its functionality? (2) In what ways is DCL utilized to harden mobile apps, specifically, application obfuscation? (3) What are the security risks and implications that can be found from DCL in off-the-shelf apps? We design and implement DyDroid, a system which uses both dynamic and static analysis to analyze dynamically loaded code. Dynamic analysis is used to automatically exercise apps, capture DCL behavior, and intercept the loaded code. Static analysis is used to investigate malicious behavior and privacy leakage in that dynamically loaded code. We have used DyDroid to analyze over 46K apps with little manual intervention, allowing us to conduct a large-scale measurement to investigate five aspects of DCL, such as source identification, malware detection, vulnerability analysis, obfuscation analysis, and privacy tracking analysis. We have several interesting findings. (1) 27 apps are found to violate the content policy of Google Play by executing code downloaded from remote servers. (2) We determine the distribution, pros/cons, and implications of several common obfuscation methods, including DEX encryption/loading. (3) DCL's stealthiness enables it to be a channel to deploy malware, and we find 87 apps loading malicious binaries which are not detected by existing antivirus tools. (4) We found 14 apps that are vulnerable to code injection attacks due to dynamically loading code which is writable by other apps. (5) DCL is mainly used by third-party SDKs, meaning that app developers may not know what sort of sensitive functionality is injected into their apps.
【Keywords】: Mobile security; Smartphone; Android; Dynamic Code Loading; Dynamic analysis; Measurement
【Paper Link】 【Pages】:427-438
【Authors】: Yacong Gu ; Kun Sun ; Purui Su ; Qi Li ; Yemian Lu ; Lingyun Ying ; Dengguo Feng
【Abstract】: Android system applies a permission-based security model to restrict unauthorized apps from accessing system services, however, this security model cannot constrain authorized apps from sending excessive service requests to exhaust the limited system resource allocated for each system service. As references from native code to a Java object, JNI Global References (JGR) are prone to memory leaks, since they are not automatically garbage collected. Moreover, JGR exhaustion may lead to process abort or even Android system reboot when the victim process could not afford the JGR requests triggered by malicious apps through inter-process communication. In this paper, we perform a systematic study on JGR exhaustion (JGRE) attacks against all system services in Android. Our experimental results show that among the 104 system services in Android 6.0.1, 32 system services have 54 vulnerabilities. Particularly, 22 system services can be successfully attacked without any permission support. After reporting those vulnerabilities to Android security team and getting confirmed, we study the existing ad hoc countermeasures in Android against JGRE attacks. Surprisingly, among the 10 system services that have been protected, 8 system services are still vulnerable to JGRE attacks. Finally, we develop an effective defense mechanism to defeat all identified JGRE attacks by adopting Android's low memory killer (LMK) mechanism.
【Keywords】: Androids; Humanoid robots; Java; Smart phones; Runtime; Servers; Security
【Paper Link】 【Pages】:439-450
【Authors】: Rachid Guerraoui ; Anne-Marie Kermarrec ; Rhicheek Patra ; Mahammad Valiyev ; Jingjing Wang
【Abstract】: Recommenders widely use collaborative filtering schemes. These schemes, however, threaten privacy as user profiles are made available to the service provider hosting the recommender and can even be guessed by curious users who analyze the recommendations. Users can encrypt their profiles to hide them from the service provider and add noise to make them difficult to guess. These precautionary measures hamper latency and recommendation quality. In this paper, we present a novel recommender, X-REC, enabling an effective collaborative filtering scheme to ensure the privacy of users against the service provider (system-level privacy) or other users (user-level privacy). X-REC builds on two underlying services: X-HE, an encryption scheme designed for recommenders, and X-NN, a neighborhood selection protocol over encrypted profiles. We leverage uniform sampling to ensure differential privacy against curious users. Our extensive evaluation demonstrates that X-REC provides (1) recommendation quality similar to non-private recommenders, and (2) significant latency improvement over privacy-aware alternatives.
【Keywords】: Privacy; Recommender Systems
【Paper Link】 【Pages】:451-462
【Authors】: Ping Chen ; Jun Xu ; Zhisheng Hu ; Xinyu Xing ; Minghui Zhu ; Bing Mao ; Peng Liu
【Abstract】: Address space randomization has long been used for counteracting code reuse attacks, ranging from conventional ROP to sophisticated Just-in-Time ROP. At the high level, it shuffles program code in memory and thus prevents malicious ROP payload from performing arbitrary operations. While effective in mitigating attacks, existing randomization mechanisms are impractical for real-world applications and systems, especially considering the significant performance overhead and potential program corruption incurred by their implementation. In this paper, we introduce CHAMELEON, a practical defense mechanism that hinders code reuse attacks, particularly Just-in-Time ROP attacks. Technically speaking, CHAMELEON instruments program code, randomly shuffles code page addresses and minimizes the attack surface exposed to adversaries. While this defense mechanism follows in the footprints of address space randomization, our design principle focuses on using randomization to obstruct code page disclosure, making the ensuing attacks infeasible. We implemented a prototype of CHAMELEON on Linux operating system and extensively experimented it in different settings. Our theoretical and empirical evaluation indicates the effectiveness and efficiency of CHAMELEON in thwarting Just-in-Time ROP attacks.
【Keywords】: Address space randomization; JIT-ROP; OS kernel; binary instrumentation
【Paper Link】 【Pages】:463-474
【Authors】: Birhanu Eshete ; V. N. Venkatakrishnan
【Abstract】: Web-borne malware continues to be a major threat on the Web. At the core of malware infection are for-crime toolkits that exploit vulnerabilities in browsers and their extensions. When a victim host gets infected, the infection dynamics is often buried in benign traffic, which makes the task of inferring malicious behavior a non-trivial exercise. In this paper, we leverage web conversation graph analytics to tap into the rich dynamics of the interaction between a victim and malicious host(s) without the need for analyzing exploit payload. Based on insights derived from infection graph analytics, we formulate the malware detection challenge as a graph-analytics based learning problem. The key insight of our approach is the payload-agnostic abstraction and comprehensive analytics of malware infection dynamics pre-, during-, and post-infection. Our technique leverages 3 years of infection intelligence spanning 9 popular exploit kit families. Our approach is implemented in a tool called DynaMiner and evaluated on infection and benign HTTP traffic. DynaMiner achieves a 97.3% true positive rate with false positive rate of 1.5%. Our forensic and live case studies suggest the effectiveness of comprehensive graph abstraction malware infection. In some instances, DynaMiner detected unknown malware 11 days earlier than existing AV engines.
【Keywords】: malware detection; graph analytics; machine learning
【Paper Link】 【Pages】:475-486
【Authors】: Carina Pilch ; Anne Remke
【Abstract】: The modeling formalism of hybrid Petri nets allows investigating the dependability of e.g. critical infrastructures with hybrid characteristics. Hybrid Petri nets can model random delays with so-called general transitions. Approaches for analyzing such Petri nets are available for models with one or two general transitions, which change the discrete marking of the system by firing only once. We extend the formalism to more general transitions that possibly fire multiple times. This work provides a definition of the probability space for the evolution of hybrid Petri nets over time and presents an efficient approach to discrete-event simulation. Statistical Model Checking techniques are introduced to verify complex properties on hybrid Petri nets. The presented methods are implemented in Java and we show their feasibility in a case study that also serves to validate our results.
【Keywords】: hybrid Petri nets; HPnGs; Statistical Model Checking; Discrete-event simulation
【Paper Link】 【Pages】:487-498
【Authors】: Laurent Chuat ; Adrian Perrig ; Yih-Chun Hu
【Abstract】: Multipath communication not only allows improved throughput but can also be used to leverage different path characteristics to best fulfill each application's objective. In particular, certain delay-sensitive applications, such as real-time voice and video communications, can usually withstand packet loss and aim to maximize throughput while keeping latency at a reasonable level. In such a context, one hard problem is to determine along which path the data should be transmitted or retransmitted. In this paper, we formulate this problem as a linear optimization, show bounds on the performance that can be obtained in a multipath paradigm, and show that path diversity is a strong asset for improving network performance. We also discuss how these theoretical limits can be approached in practice and present simulation results.
【Keywords】: Protocols; Reliability; Delays; Bandwidth; Computer network reliability; Routing; Throughput
【Paper Link】 【Pages】:499-510
【Authors】: Daniel D. Dunn ; Samuel A. Mitchell ; Imran Sajjad ; Ryan M. Gerdes ; Rajnikant Sharma ; Ming Li
【Abstract】: We show that a stream of automated vehicles traveling along the highway can be destabilized to catastrophic effect through modification of the control laws of individual vehicles. Specifically, one active attacker who introduces errors, in addition to one or many passive attackers who amplify the error, may, by the modification of a single parameter, induce oscillatory traffic jams that cause delay, driver discomfort, excess energy expenditure, and increased risk of accidents that could result in serious injury or death. We determine the conditions under which an attacker(s) is able to violate the primary design criterion of automated vehicle streams, known as string stability, to guarantee system instability. Furthermore, we prove that once the stream has been destabilized it will continually deviate from the desired state, even in the absence of additional input to the system-i.e. the jammed condition will self-perpetuate. Through a comparison with a behavioral human driver model, this work demonstrates that automated vehicle systems are more vulnerable to disruption than their non-automated counterparts. The postulated attack is demonstrated on a scaled system and identification of attackers is discussed.
【Keywords】: Stability analysis; Vehicles; Acceleration; Automation; Electronic mail; Road transportation; Control systems
【Paper Link】 【Pages】:511-518
【Authors】: Yan Liu ; Yue Wu ; Zbigniew Kalbarczyk
【Abstract】: Urban railway systems, as the most heavily used systems in daily life, suffer from frequent service disruptions resulting millions of affected passengers and huge economic losses. Maintenance of the systems is done by maintaining individual devices in fixed cycles. It is time consuming, yet not effective. Thus, to reduce service failures through smart maintenance is becoming one of the top priorities of the system operators. In this paper, we propose a data driven approach that is to decide maintenance cycle based on estimating the mean time to failure of the system. There are two challenges: 1) as a cyber physical system, hardwares of cyber components (like signalling devices) fail more frequently than physical components (like power plants), 2) as a system of systems, functional dependency exists not only between components within a sub-system but also between different sub-systems, for example, a train relies on traction power system to operate. To meet the challenges, a Dynamic Fault Tree (DFT) based approach is adopted for the expressiveness of the modelling formalism and an efficient tool support by DFTCalc. Our case study shows interesting results that the Singapore Massive Rapid Train (MRT) system is likely to fail in 20 days from the full functioning status based on the manufacture data.
【Keywords】: Dynamic Fault Tree Analysis; Smart Maintenance; Critical Infrastructure; Urban Railway System
【Paper Link】 【Pages】:519-530
【Authors】: Jinkyu Koo ; Xiaojun Lin ; Saurabh Bagchi
【Abstract】: An emerging solution to privacy issues in smart grids is battery-based load hiding (BLH) that uses a rechargeable battery to decouple the meter readings from user activities. However, existing BLH algorithms have two significant limitations: (1) Most of them focus on flattening high-frequency variation of usage profile only, thereby still revealing a low-frequency shape, (2) Otherwise, they assume to know a statistical model of usage pattern. To overcome these limitations, we propose a new BLH algorithm, named RL-BLH. The RL-BLH hides both low-frequency and high-frequency usage patterns by shaping the meter readings to rectangular pulses. The RL-BLH learns a decision policy for choosing pulse magnitudes on the fly without prior knowledge of usage pattern. The decision policy is designed to charge and discharge the battery in the optimal way to maximize cost savings. We also provide heuristics to shorten learning time and improve cost savings.
【Keywords】: Batteries; Privacy; Pricing; Smart meters; Shape; Learning (artificial intelligence)
【Paper Link】 【Pages】:531-542
【Authors】: Devendra Shelar ; Pengfei Sun ; Saurabh Amin ; Saman A. Zonouz
【Abstract】: Power grid operations rely on the trustworthy operation of critical control center functionalities, including the so-called Economic Dispatch (ED) problem. The ED problem is a large-scale optimization problem that is periodically solved by the system operator to ensure the balance of supply and load while maintaining reliability constraints. In this paper, we propose a semantics-based attack generation and implementation approach to study the security of the ED problem.1 Firstly, we generate optimal attack vectors to transmission line ratings to induce maximum congestion in the critical lines, resulting in the violation of capacity limits. We formulate a bilevel optimization problem in which the attacker chooses manipulations of line capacity ratings to maximinimize the percentage line capacity violations under linear power flows. We reformulate the bilevel problem as a mixed integer linear program that can be solved efficiently. Secondly, we describe how the optimal attack vectors can be implemented in commercial energy management systems (EMSs). The attack explores the dynamic memory space of the EMS, and replaces the true line capacity ratings stored in data regions with the optimal attack vectors. In contrast to the well-known false data injection attacks to control systems that require compromising distributed sensors, our approach directly implements attacks to the control center server. Our experimental results on benchmark power systems and five widely utilized EMSs show the practical feasibility of our attack generation and implementation approach.
【Keywords】: Cyber-physical systems; smart grids; network security seem like the most relevant keywords
【Paper Link】 【Pages】:543-550
【Authors】: Oleksii Oleksenko ; Dmitrii Kuvaiskii ; Pramod Bhatotia ; Christof Fetzer
【Abstract】: Software systems research relies on experimental evaluation to assess the effectiveness of newly developed solutions. However, the existing evaluation frameworks are rigid (do not allow creation of new experiments), often simplistic (may not reveal issues that appear in real-world applications), and can be inconsistent (do not guarantee reproducibility of experiments across platforms). This paper presents Fex, a software systems evaluation framework that addresses these limitations. Fex is extensible (can be easily extended with custom experiment types), practical (supports composition of different benchmark suites and real-world applications), and reproducible (it is built on container technology to guarantee the same software stack across platforms). We show that Fex achieves these design goals with minimal end-user effort - for instance, adding Nginx web-server to evaluation requires only 160 LoC. Going forward, we discuss the architecture of the framework, explain its interface, show common usage scenarios, and evaluate the efforts for writing various custom extensions.
【Keywords】: Benchmarks; performance; experiment automation
【Paper Link】 【Pages】:551-558
【Authors】: Iberia Medeiros ; Miguel Beatriz ; Nuno Ferreira Neves ; Miguel Correia
【Abstract】: Despite the significant efforts put in building more secure web applications, cases of high impact breaches continue to appear. Vulnerabilities in web applications are often created due to inconsistencies in the way SQL queries are believed to be run and the way they are actually executed by a Database Management System (DBMS). This paper presents a demonstration of SEPTIC, a mechanism that detects and blocks injection attacks inside the DBMS. The demonstration considers a scenario of a non-trivial PHP web application, backed by a MySQL DBMS, which was modified to include SEPTIC. It presents how SEPTIC blocks injection attacks without compromising the application correctness and performance. In addition, SEPTIC is compared to alternative approaches, such as sanitizations carried out with standard functions provided language and a web application firewall.
【Keywords】: Web applications; injection attacks; DBMS; software security; runtime protection; security
【Paper Link】 【Pages】:559-566
【Authors】: William H. Hawkins ; Jason D. Hiser ; Michele Co ; Anh Nguyen-Tuong ; Jack W. Davidson
【Abstract】: To quickly patch security vulnerabilities there has been keen interest in securing binaries in situ. Unfortunately, the state of the art in static binary rewriting does not allow the transformed program to be both space and time efficient. A primary limitation is that leading static rewriters require that the original copy of the code remains in the transformed binary, thereby incurring file size overhead of at least 100%. This paper presents Zipr, a static binary rewriter that removes this limitation and enables both space and time efficient transformation of arbitrary binaries. We describe results from applying Zipr in the DARPA Cyber Grand Challenge (CGC), the first fully automated cyber-hacking contest. The CGC rules penalized competitors for producing a patched binary whose on-disk size was 20% larger than the original, whose CPU utilization was 5% more than the original, and whose memory use was 5% more than the original. Zipr's efficiency enabled our automated system, Xandra, to apply both code diversity and control flow integrity security techniques to secure challenge binaries provided by DARPA, resulting in Xandra having the best security score in the competition, remaining within the required space and time performance envelope, and winning a $1M cash prize.
【Keywords】: Compilers; Program Analysis; Restructuring; Reverse Engineering; Reengineering; Security
【Paper Link】 【Pages】:567-578
【Authors】: Benjamin E. Ujcich ; Uttam Thakore ; William H. Sanders
【Abstract】: Software-defined networking (SDN) has recently attracted interest as a way to provide cyber resiliency because of its programmable and logically centralized nature. However, the security of the SDN architecture itself against malicious attacks is not well understood and must be ensured in order to provide cyber resiliency to systems that use SDNs. In this paper, we present ATTAIN, an attack injection framework for OpenFlow-based SDN architectures. First, we define an attack model that relates system components to an attacker's capability to influence control plane behavior. Second, we define an attack language for writing control plane attacks that can be used to evaluate SDN implementations. Third, we describe an attack injector architecture that actuates attacks in networks. Finally, we evaluate our framework with an enterprise network case study by writing and running attacks with popular SDN controllers.
【Keywords】: software-defined networking; SDN; OpenFlow; attack model; attack language; attack injection; fault injection; dependability; security; software testing
【Paper Link】 【Pages】:579-590
【Authors】: Christopher Natoli ; Vincent Gramoli
【Abstract】: Most blockchain systems are forkable in that they require participants to agree on a chain out of multiple possible branches of blocks. In this paper, we identify a new form of attack, called the Balance attack, against these forkable blockchain systems. The novelty of this attack consists of delaying network communications between multiple subgroups of nodes with balanced mining power. Our theoretical analysis captures the tradeoff between the network delay and the mining power of the attacker needed to double-spend in the GHOST protocol with high probability. We quantify our analysis in the settings of the Ethereum testnet of the R3 consortium where we show that a single machine needs to delay messages for 20 minutes to double spend while a coalition with a third of the mining power would simply need 4 minutes to double spend with 94% of success. We experiment the attack in our private Ethereum chain before arguing for a non-forkable blockchain design to protect against Balance attacks.
【Keywords】: Ethereum; forks; GHOST; consortium blockchain; private blockchain; Bitcoin; Byzantine; Casper
【Paper Link】 【Pages】:591-602
【Authors】: Yuan Yao ; Bin Xiao ; Gaofei Wu ; Xue Liu ; Zhiwen Yu ; Kailong Zhang ; Xingshe Zhou
【Abstract】: Vehicular Ad Hoc Networks (VANETs) enable vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications that bring many benefits and conveniences to improve the road safety and drive comfort in future transportation systems. Sybil attack is considered one of the most risky threats in VANETs since a Sybil attacker can generate multiple fake identities with false messages to severely impair the normal functions of safety-related applications. In this paper, we propose a novel Sybil attack detection method based on Received Signal Strength Indicator (RSSI), Voiceprint, to conduct a widely applicable, lightweight and full-distributed detection for VANETs. To avoid the inaccurate position estimation according to predefined radio propagation models in previous RSSI-based detection methods, Voiceprint adopts the RSSI time series as the vehicular speech and compares the similarity among all received time series. Voiceprint does not rely on any predefined radio propagation model, and conducts independent detection without the support of the centralized infrastructure. It has more accurate detection rate in different dynamic environments. Extensive simulations and real-world experiments demonstrate that the proposed Voiceprint is an effective method considering the cost, complexity and performance.
【Keywords】: Vehicular Ad Hoc Networks; Sybil attack; Dynamic Time Warping; Received Signal Strength Indicator
【Paper Link】 【Pages】:603-614
【Authors】: Guido Lena Cota ; Sonia Ben Mokhtar ; Gabriele Gianini ; Ernesto Damiani ; Julia Lawall ; Gilles Muller ; Lionel Brunie
【Abstract】: Selfishness is one of the key problems that confronts developers of cooperative distributed systems (e.g., file-sharing networks, voluntary computing). It has the potential to severely degrade system performance and to lead to instability and failures. Current techniques for understanding the impact of selfish behaviours and designing effective countermeasures remain manual and time-consuming, requiring multi-domain expertise. To overcome these difficulties, we propose SEINE, a simulation framework for rapid modelling and evaluation of selfish behaviours in a cooperative system. SEINE relies on a domain-specific language (SEINE-L) for specifying selfishness scenarios, and provides semi-automatic support for their implementation and study in a state-of-the-art simulator. We show in this paper that (1) SEINE-L is expressive enough to specify fifteen selfishness scenarios taken from the literature, (2) SEINE is accurate in predicting the impact of selfishness compared to real experiments, and (3) SEINE substantially reduces the development effort compared to traditional manual approaches.
【Keywords】: Peer-to-peer computing; Cooperative systems; Protocols; Bandwidth; Analytical models; System performance; Streaming media
【Paper Link】 【Pages】:615-626
【Authors】: Daiping Liu ; Xing Gao ; Mingwei Zhang ; Haining Wang ; Angelos Stavrou
【Abstract】: As the most commonly used bots in first-person shooter (FPS) online games, aimbots are notoriously difficult to detect because they are completely passive and resemble excellent honest players in many aspects. In this paper, we conduct the first field measurement study to understand the status quo of aimbots and how they play in the wild. For data collection purpose, we devise a novel and generic technique called baittarget to accurately capture existing aimbots from the two most popular FPS games. Our measurement reveals that cheaters who use aimbots cannot play as skillful as excellent honest players in all aspects even though aimbots can help them to achieve very high shooting performance. To characterize the unskillful and blatant nature of cheaters, we identify seven features, of which six are novel, and these features cannot be easily mimicked by aimbots. Leveraging this set of features, we propose an accurate and robust server-side aimbot detector called AimDetect. The core of AimDetect is a cascaded classifier that detects the inconsistency between performance and skillfulness of aimbots. We evaluate the efficacy and generality of AimDetect using the real game traces. Our results show that AimDetect can capture almost all of the aimbots with very few false positives and minor overhead.
【Keywords】: Online games; Aimbot; baittarget; FPS
【Paper Link】 【Pages】:627-638
【Authors】: Md. Endadul Hoque ; Omar Chowdhury ; Sze Yiu Chau ; Cristina Nita-Rotaru ; Ninghui Li
【Abstract】: Network protocol implementations must comply with their specifications that include properties describing the correct operational behavior of the protocol in response to different temporal orderings of network events. Due to inconsistent interpretations of the specification, developers can unknowingly introduce semantic bugs, which cause the implementations to violate the respective properties. Detecting such bugs in stateful protocols becomes significantly difficult as their operations depend on their internal state machines and the complex interactions between the protocol logic. In this paper, we present an automated tool to help developers analyze their protocol implementations and detect semantic bugs violating the temporal properties of the protocols. Given an implementation, our tool (1) extracts the implemented finite state machine (FSM) of the protocol from the source code by symbolically exploring the code and (2) determines whether the extracted FSM violates given temporal properties by using an off-the-shelf model checker. We demonstrated the efficacy of our tool by applying it on 6 protocol implementations. We detected 11 semantic bugs (2 with security implications) when we analyzed these implementations against properties obtained from their publicly available specifications.
【Keywords】: Protocols; Computer bugs; Semantics; Tools; Security; Model checking; Servers