48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018, Luxembourg City, Luxembourg, June 25-28, 2018. IEEE Computer Society 【DBLP Link】
【Paper Link】 【Pages】:1-12
【Authors】: Kristina Spirovska ; Diego Didona ; Willy Zwaenepoel
【Abstract】: Transactional Causal Consistency (TCC) extends causal consistency, the strongest consistency model compatible with availability, with interactive read-write transactions, and is therefore particularly appealing for geo-replicated platforms. This paper presents Wren, the first TCC system that at the same time i) implements nonblocking read operations, thereby achieving low latency, and ii) allows an application to efficiently scale out within a replication site by sharding. Wren introduces new protocols for transaction execution, dependency tracking and stabilization. The transaction protocol supports nonblocking reads by providing a transaction with a snapshot that is the union of a fresh causal snapshot S installed by every partition in the local data center and a client-side cache for writes that are not yet included in S. The dependency tracking and stabilization protocols require only two scalar timestamps, resulting in efficient resource utilization and providing scalability in terms of replication sites. In return for these benefits, Wren slightly increases the visibility latency of updates. We evaluate Wren on an AWS deployment using up to 5 replication sites and 16 partitions per site. We show that Wren delivers up to 1.4x higher throughput and up to 3.6x lower latency when compared to the state-of-the-art design. The choice of an older snapshot increases local update visibility latency by a few milliseconds. The use of only two timestamps to track causality increases remote update visibility latency by less than 15%.
【Keywords】: Causal consistency; Transactional causal consistency; Geo replication
【Paper Link】 【Pages】:13-26
【Authors】: Vinicius Fratin ; Daniel A. G. de Oliveira ; Caio B. Lunardi ; Fernando Santos ; Gennaro Rodrigues ; Paolo Rech
【Abstract】: The increased need for computing capabilities and higher efficiency have stimulated industries to make available in the market novel architectures with increased complexity. The variety of codes that need to be executed combined with the complexity of novel architectures introduces challenges in the reliability evaluation of computing systems and applications. This paper compares the reliability behaviors of six different architectures (an Intel co-processor, three NVIDIA GPUs, an AMD APU, an embedded ARM) executing eight different codes. To support our evaluation, we present and discuss experimental beam data that covers a total of more than 352,000 years of natural exposure and fault-injection analysis based on a total of more than 120,000 injections. We first quantify both the Silent Data Corruptions and the Detected Unrecoverable Errors rates. Then, we qualify observed errors considering the difference between the corrupted and expected values as well as the portion of the output that has been corrupted. From these analyses, we identify the reliability characteristics which are related to the underlying hardware and the intrinsic behaviors of the executed code. Finally, we discuss the implications of the device- and code-dependent reliability behaviors for approximate computing. We analyze the benefits, in term of reduced error rate, of a relaxed output correctness.
【Keywords】: Fault Tolerance; radiation experiments; fault injection; reliability; architecture; algorithm; approximate computing
【Paper Link】 【Pages】:27-38
【Authors】: Guanpeng Li ; Karthik Pattabiraman ; Siva Kumar Sastry Hari ; Michael B. Sullivan ; Timothy Tsai
【Abstract】: As technology scales to lower feature sizes, devices become more susceptible to soft errors. Soft errors can lead to silent data corruptions (SDCs), seriously compromising the reliability of a system. Traditional hardware-only techniques to avoid SDCs are energy hungry, and hence not suitable for commodity systems. Researchers have proposed selective software-based protection techniques to tolerate hardware faults at lower costs. However, these techniques either use expensive fault injection or inaccurate analytical models to determine which parts of a program must be protected for preventing SDCs. In this work, we construct a three-level model, TRIDENT, that captures error propagation at the static data dependency, control-flow and memory levels, based on empirical observations of error propagations in programs. TRIDENT is implemented as a compiler module, and it can predict both the overall SDC probability of a given program and the SDC probabilities of individual instructions, without fault injection. We find that TRIDENT is nearly as accurate as fault injection and it is much faster and more scalable. We also demonstrate the use of TRIDENT to guide selective instruction duplication to efficiently mitigate SDCs under a given performance overhead bound.
【Keywords】: Error Propagation; Soft Error; Silent Data Corruption; Error Resilience; Program Analysis
【Paper Link】 【Pages】:39-50
【Authors】: Paulo R. Coelho ; Tarcisio Ceolin Junior ; Alysson Bessani ; Fernando Luís Dotti ; Fernando Pedone
【Abstract】: Atomic multicast is an important building block in the architecture of scalable and highly available services. Atomic multicast reliably propagates and orders messages addressed to one or more groups of processes. Despite the large body of literature on atomic multicast, existing protocols target benign failures. This paper presents ByzCast, the first Byzantine Fault-Tolerant atomic multicast. Byzantine Fault Tolerance has become increasingly appealing as services can be deployed in inexpensive hardware (e.g., cloud environments) and new applications (e.g., blockchain) become more sensitive to malicious behavior. ByzCast has two important characteristics: it was designed to use existing BFT abstractions and it scales with the number of groups, for messages addressed to a single group. We discuss the design of ByzCast and how it can be optimized for particular workloads. Besides proposing a novel atomic multicast protocol, we extensively assess its performance experimentally.
【Keywords】: Byzantine Fault Tolerance; Atomic Multicast; Group Communication; State Machine Replication
【Paper Link】 【Pages】:51-58
【Authors】: João Sousa ; Alysson Bessani ; Marko Vukolic
【Abstract】: Hyperledger Fabric is a flexible operating system for permissioned blockchains designed for business applications beyond the basic digital coin addressed by Bitcoin and other existing networks. A key property of this system is its extensibility, and in particular the support for multiple ordering services for building the blockchain. However, version 1 was launched in 2017 without an implementation of a Byzantine fault-tolerant (BFT) ordering service. To overcome this limitation, we designed, implemented, and evaluated a BFT ordering service for this system on top of the BFT-SMART state machine replication/consensus library, with optimizations for wide-area deployment. Our results show that our ordering service can process up to ten thousand transactions per second and write a transaction irrevocably in the blockchain in half a second, even with peers spread across different continents.
【Keywords】: state machine replication; consensus; Byzantine fault tolerance; blockchain
【Paper Link】 【Pages】:59-70
【Authors】: Bijun Li ; Nico Weichbrodt ; Johannes Behl ; Pierre-Louis Aublin ; Tobias Distler ; Rüdiger Kapitza
【Abstract】: Various protocols and architectures have been proposed to make Byzantine fault tolerance (BFT) increasingly practical. However, the deployment of such systems requires dedicated client-side functionality. This is necessary as clients have to connect to multiple replicas and perform majority voting over the received replies to outvote faulty responses. Deploying custom client-side code is cumbersome, and often not an option, especially in open heterogeneous systems and for well-established protocols (e.g., HTTP and IMAP) where diverse client-side implementations co-exist. We propose Troxy, a system which relocates the BFT-specific client-side functionality to the server side, thereby making BFT transparent to legacy clients. To achieve this, Troxy relies on a trusted subsystem built upon hardware protection enabled by Intel SGX. Additionally, Troxy reduces the replication cost of BFT for read-heavy workloads by offering an actively maintained cache that supports trustworthy read operations while preserving the consistency guarantees offered by the underlying BFT protocol. A prototype of Troxy has been built and evaluated, and results indicate that using Troxy (1) leads to at most 43% performance loss with small ordered messages in a local network environment, while (2) improves throughput by 130% with read-heavy workloads in a simulated wide-area network.
【Keywords】: Byzantine fault tolerance; Hybrid fault model; Trusted execution environment; Intel SGX
【Paper Link】 【Pages】:71-82
【Authors】: Jonathan Behrens ; Sagar Jha ; Ken Birman ; Edward Tremel
【Abstract】: Multicast patterns are common in cloud computing and datacenter settings. Applications and infrastructure tools such as Spark frequently move large objects around, update files replicated to multiple nodes, or push new versions of programs to compute nodes. Some applications use replication directly, for example to increase fault-tolerance or achieve parallelism. Implementations of Paxos, block chains and other libraries often employ a hand-built reliable multicast as a primitive. Yet operating systems continue to be focused on point-to-point communication solutions such as TCP or RDMA, a hardware layer with TCP-like semantics that offers zero copy transfers, but lacks a reliable multi-destination transfer capability. Our system, RDMC (RDMA Multicast), offers reliable multicast functionality constructed from RDMA unicast. We discuss design choices, present a theoretical analysis of RDMC's robustness to delays and slow network links, and report on experiments that evaluate RDMC over Mellanox RDMA.
【Keywords】: RDMA; replication; overlay networks; multicast protocols
【Paper Link】 【Pages】:83-94
【Authors】: Rohan Garg ; Tirthak Patel ; Gene Cooperman ; Devesh Tiwari
【Abstract】: Large-scale applications rely on resilience mechanisms such as checkpoint-restart to make forward progress in the presence of failures. Unfortunately, this incurs huge I/O overhead and impedes productivity. To mitigate this challenge, this paper introduces a new technique, Shiraz, which demonstrates how to exploit differences in the checkpointing overhead among applications and knowledge of temporal characteristics of failures to improve both the overall system throughput and performance of individual applications.
【Keywords】: checkpointing; HPC; reliability; storage; large scale systems; system failures
【Paper Link】 【Pages】:95-106
【Authors】: Bin Nie ; Ji Xue ; Saurabh Gupta ; Tirthak Patel ; Christian Engelmann ; Evgenia Smirni ; Devesh Tiwari
【Abstract】: GPUs are widely deployed on large-scale HPC systems to provide powerful computational capability for scientific applications from various domains. As those applications are normally long-running, investigating the characteristics of GPU errors becomes imperative for reliability. In this paper, we first study the system conditions that trigger GPU errors using six-month trace data collected from a large-scale, operational HPC system. Then, we use machine learning to predict the occurrence of GPU errors, by taking advantage of temporal and spatial dependencies of the trace data. The resulting machine learning prediction framework is robust and accurate under different workloads.
【Keywords】: GPU Reliability; System Reliability; HPC; Error Prediction; Machine Learning
【Paper Link】 【Pages】:107-114
【Authors】: Mohit Kumar ; Saurabh Gupta ; Tirthak Patel ; Michael Wilder ; Weisong Shi ; Song Fu ; Christian Engelmann ; Devesh Tiwari
【Abstract】: Today's High Performance Computing (HPC) systems are capable of delivering performance in the order of petaflops due to the fast computing devices, network interconnect, and back-end storage systems. In particular, interconnect resilience and congestion resolution methods have a major impact on the overall interconnect and application performance. This is especially true for scientific applications running multiple processes on different compute nodes as they rely on fast network messages to communicate and synchronize frequently. Unfortunately, the HPC community lacks state-of-practice experience reports that detail how different interconnect errors and congestion events occur on large-scale HPC systems. Therefore, in this paper, we process and analyze interconnect data of the Titan supercomputer to develop a thorough understanding of interconnects faults, errors and congestion events. We also study the interaction between interconnect, errors, network congestion and application characteristics.
【Keywords】: Cray; Gemini; Interconnect; Titan; Errors
【Paper Link】 【Pages】:115-126
【Authors】: Diyu Zhou ; Yuval Tamir
【Abstract】: System recovery latency is decreased by using microreboot to reboot only the failed component instead of the entire system. For large, complex components, such as hypervisors, even the latency of microreboot is unacceptably high in important deployment scenarios. We investigate an alternative component-level recovery mechanism, which we call microreset, that can achieve dramatically lower recovery latency for some such components. Instead of component reboot, microreset quickly resets the component to a quiescent state that is highly likely to be valid and where the component is ready to handle new or retried interactions with the rest of the system. We present a recovery mechanism for the Xen hypervisor, called NiLiHype, based on microreset. We show that, compared to microreboot-based hypervisor recovery, NiLiHype achieves nearly the same recovery success rate but with a recovery latency that is shorter by a factor of over 30.
【Keywords】: recovery; virtualization; hypervisor; fault injection
【Paper Link】 【Pages】:127-138
【Authors】: Christian Wressnegger ; Ansgar Kellner ; Konrad Rieck
【Abstract】: Due its complexity and a multitude of proprietary components, industrial control systems are an immanently difficult field of application for intrusion detection. Proprietary binary protocols and the lack of public specifications have forced the research community to move away from content-based detection to more abstract concepts. In this paper, we show that in contrast to prior belief the content of unknown binary protocols can very well be modeled. ZOE derives prototype models that are specific to individual types of messages in order to capture the characteristics of arbitrary binary protocols and enable detecting different forms of attacks as anomalies. In an evaluation based on 6 days of network traffic recorded at a large power plant (1,900 MW) with over 92,000 unique devices, we demonstrate that ZOE improves upon related approaches by up to an order of magnitude in detection performance, but also significantly decreases false positives.
【Keywords】: Industrial networks; SCADA; Anomaly Detection
【Paper Link】 【Pages】:139-150
【Authors】: Subhash Lakshminarayana ; David K. Y. Yau
【Abstract】: We study moving-target defense (MTD) that actively perturbs transmission line reactances to thwart stealthy false data injection (FDI) attacks against state estimation in a power grid. Prior work on this topic has proposed MTD based on randomly selected reactance perturbations, but these perturbations cannot guarantee effective attack detection. To address the issue, we present formal design criteria to select MTD reactance perturbations that are truly effective. However, based on a key optimal power flow (OPF) formulation, we find that the effective MTD may incur a non-trivial operational cost that has not hitherto received attention. Accordingly, we characterize important tradeoffs between the MTD's detection capability and its associated required cost. Extensive simulations, using the MATPOWER simulator and benchmark IEEE bus systems, verify and illustrate the proposed design approach that for the first time addresses both key aspects of cost and effectiveness of the MTD.
【Keywords】: Moving target defense; false data injection attacks; power grids; effectiveness; operational cost
【Paper Link】 【Pages】:151-162
【Authors】: Zhenqi Huang ; Sriharsha Etigowni ; Luis Garcia ; Sayan Mitra ; Saman A. Zonouz
【Abstract】: Automated vulnerability assessment and exploit generation for computing systems have been explored for decades. However, these approaches are incomplete in assessing industrial control systems, where networks of computing devices and physical processes interact for safety-critical missions. We present an attack synthesis algorithm against such cyber-physical electricity grids. The algorithm explores both discrete network configurations and continuous dynamics of the plant's embedded control system to search for attack strategies that evade detection with conventional monitors. The algorithm enabling this exploration is rooted in recent developments in the hybrid system verification research: it effectively approximates the behavior of the system for a set of possible attacks by computing sensitivity of the system's response to variations in the attack parameters. For parts of the attack space, the proposed algorithm can infer whether or not there exists a feasible attack that avoids triggering protection measures such as relays and steady-state monitors. The algorithm can take into account constraints on the attack space such as the power system topology and the set of controllers across the plant that can be compromised without detection. With a proof-of-concept prototype, we demonstrate the synthesis of transient attacks in several typical electricity grids and analyze the robustness of the synthesized attacks to perturbations in the network parameters.
【Keywords】: attack synthesis; transient attack; hybrid system verification
【Paper Link】 【Pages】:163-170
【Authors】: André Nogueira ; Miguel Garcia ; Alysson Bessani ; Nuno Neves
【Abstract】: In the last decade, Industrial Control Systems have been a frequent target of cyber attacks. As the current defenses sometimes fail to prevent more sophisticated threats, it is necessary to add advanced protection mechanisms to guarantee that correct operation is (always) maintained. In this work, we describe a Supervisory Control and Data Acquisition (SCADA) system enhanced with Byzantine fault-tolerant (BFT) techniques. We document the challenges of building such system from a "traditional" non-BFT solution. This effort resulted in a prototype that integrates the Eclipse NeoSCADA and the BFT-SMaRt open-source projects. We also present an evaluation comparing Eclipse NeoSCADA with our BFT solution. Although the results show a decrease in performance, our solution is still more than enough to accommodate realistic workloads.
【Keywords】: Byzantine fault tolerance; SCADA systems; State Machine Replication; Eclipse NeoSCADA
【Paper Link】 【Pages】:171-182
【Authors】: Roberta Barbi ; Dorian Burihabwa ; Pascal Felber ; Hugues Mercier ; Valerio Schiavoni
【Abstract】: Users entrust an increasing amount of data to online cloud systems for archival purposes. Existing storage systems designed to preserve user data unaltered for decades do not, however, provide strong security guarantees - at least at a reasonable cost. This paper introduces RECAST, an anti-censorship data archival system based on random data entanglement. Documents are mixed together using an entanglement scheme that exploits erasure codes for secure and tamper-proof long-term archival. Data is intertwined in such a way that it becomes virtually impossible to delete a specific document that has been stored long enough in the system, without also erasing a substantial fraction of the whole archive, which requires a very powerful adversary and openly exposes the attack. We validate RECAST entanglement approach via simulations and we present and evaluate a full-fledged prototype deployed in a local cluster. In one of our settings, we show that RECAST, configured with the same storage overhead as triple replication, can withstand 10% of storage node failures without any data loss. Furthermore, we estimate that the effort required from a powerful censor to delete a specific target document is two orders of magnitude larger than for triple replication.
【Keywords】: storage; anti censorship; erasure-coding; entanglement
【Paper Link】 【Pages】:183-194
【Authors】: Vero Estrada-Galiñanes ; Ethan L. Miller ; Pascal Felber ; Jehan-François Pâris
【Abstract】: Data centres that use consumer-grade disks drives and distributed peer-to-peer systems are unreliable environments to archive data without enough redundancy. Most redundancy schemes are not completely effective for providing high availability, durability and integrity in the long-term. We propose alpha entanglement codes, a mechanism that creates a virtual layer of highly interconnected storage devices to propagate redundant information across a large scale storage system. Our motivation is to design flexible and practical erasure codes with high fault-tolerance to improve data durability and availability even in catastrophic scenarios. By "flexible and practical", we mean code settings that can be adapted to future requirements and practical implementations with reasonable trade-offs between security, resource usage and performance. The codes have three parameters. Alpha increases storage overhead linearly but increases the possible paths to recover data exponentially. Two other parameters increase fault-tolerance even further without the need of additional storage. As a result, an entangled storage system can provide high availability, durability and offer additional integrity: it is more difficult to modify data undetectably. We evaluate how several redundancy schemes perform in unreliable environments and show that alpha entanglement codes are flexible and practical codes. Remarkably, they excel at code locality, hence, they reduce repair costs and become less dependent on storage locations with poor availability. Our solution outperforms Reed-Solomon codes in many disaster recovery scenarios.
【Keywords】: availability; fault tolerance; Reed Solomon codes; data storage systems; redundancy; peer to peer computing; encoding; decoding; data integrity; disk drives; computer errrors
【Paper Link】 【Pages】:195-206
【Authors】: Fritz Alder ; Arseny Kurnikov ; Andrew Paverd ; N. Asokan
【Abstract】: Hardware-supported security mechanisms like Intel Software Guard Extensions (SGX) provide strong security guarantees, which are particularly relevant in cloud settings. However, their reliance on physical hardware conflicts with cloud practices, like migration of VMs between physical platforms. For instance, the SGX trusted execution environment (enclave) is bound to a single physical CPU. Although prior work has proposed an effective mechanism to migrate an enclave's data memory, it overlooks the migration of persistent state, including sealed data and monotonic counters; the former risks data loss whilst the latter undermines the SGX security guarantees. We show how this can be exploited to mount attacks, and then propose an improved enclave migration approach guaranteeing the consistency of persistent state. Our software-only approach enables migratable sealed data and monotonic counters, maintains all SGX security guarantees, minimizes developer effort, and incurs negligible performance overhead.
【Keywords】: Counters; Intel SGX; Sealing; VM Migration
【Paper Link】 【Pages】:207-218
【Authors】: Stefan Contiu ; Rafael Pires ; Sébastien Vaucher ; Marcelo Pasin ; Pascal Felber ; Laurent Réveillère
【Abstract】: While many cloud storage systems allow users to protect their data by making use of encryption, only few support collaborative editing on that data. A major challenge for enabling such collaboration is the need to enforce cryptographic access control policies in a secure and efficient manner. In this paper, we introduce IBBE-SGX, a new cryptographic access control extension that is efficient both in terms of computation and storage even when processing large and dynamic workloads of membership operations, while at the same time offering zero knowledge guarantees. IBBE-SGX builds upon Identity-Based Broadcasting Encryption (IBBE). We address IBBE's impracticality for cloud deployments by exploiting Intel Software Guard Extensions (SGX) to derive cuts in the computational complexity. Moreover, we propose a group partitioning mechanism such that the computational cost of membership update is bound to a fixed constant partition size rather than the size of the whole group. We have implemented and evaluated our new access control extension. Results highlight that IBBE-SGX performs membership changes 1.2 orders of magnitude faster than the traditional approach of Hybrid Encryption (HE), producing group metadata that are 6 orders of magnitude smaller than HE, while at the same time offering zero knowledge guarantees.
【Keywords】: Access Control; TEE; SGX
【Paper Link】 【Pages】:219-230
【Authors】: Shixiong Zhao ; Rui Gu ; Haoran Qiu ; Tsz On Li ; Yuexuan Wang ; Heming Cui ; Junfeng Yang
【Abstract】: Just like bugs in single-threaded programs can lead to vulnerabilities, bugs in multithreaded programs can also lead to concurrency attacks. We studied 31 real-world concurrency attacks, including privilege escalations, hijacking code executions, and bypassing security checks. We found that compared to concurrency bugs' traditional consequences (e.g., program crashes), concurrency attacks' consequences are often implicit, extremely hard to be observed and diagnosed by program developers. Moreover, in addition to bug-inducing inputs, extra subtle inputs are often needed to trigger the attacks. These subtle features make existing tools ineffective to detect concurrency attacks. To tackle this problem, we present OWL, the first practical tool that models general concurrency attacks' implicit consequences and automatically detects them. We implemented OWL in Linux and successfully detected five new concurrency attacks, including three confirmed and fixed by developers, and two exploited from previously known and well-studied concurrency bugs. OWL has also detected seven known concurrency attacks. Our evaluation shows that OWL eliminates 94.1% of the reports generated by existing concurrency bug detectors as false positive, greatly reducing developers' efforts on diagnosis. All OWL source code, concurrency attack exploit scripts, and results are available on github.com/hku-systems/owl.
【Keywords】: Software Testing; Concurrency Attack
【Paper Link】 【Pages】:231-242
【Authors】: Meisam Navaki Arefi ; Geoffrey Alexander ; Hooman Rokham ; Aokun Chen ; Michalis Faloutsos ; Xuetao Wei ; Daniela Seabra Oliveira ; Jedidiah R. Crandall
【Abstract】: In-memory injection attacks are extremely challenging to reverse engineer because they operate stealthily without leaving artifacts in the system or in any easily observable events from outside of a virtual machine. Because these attacks perform their actions in memory only, current malware analysis solutions cannot expose their behavior. This paper introduces FAROS^1 a reverse engineering tool for Windows malware analysis based on dynamic information flow tracking (DIFT), which can flag stealthy in-memory-only malware injection attacks by leveraging the synergy of: (i) whole-system taint analysis; (ii) per security policy-based handling of the challenge of indirect flows via the application of tags of different types, and (iii) the use of tags with fine-grained provenance information. We evaluated FAROS with six advanced in-memory-injecting malware and it flagged the attacks for all samples. We also analyzed FAROS' false positive rate with 90 non-injecting malware samples and 14 benign software from various categories. FAROS presented a very low false positive rate of 2%, which shows its potential towards practical solutions against advanced in-memory-only anti-reverse-engineering attacks.
【Keywords】: Dynamic Information Flow Tracking; In memory Injection; Malware Analysis
【Paper Link】 【Pages】:243-254
【Authors】: Zhilong Wang ; Xuhua Ding ; Chengbin Pang ; Jian Guo ; Jun Zhu ; Bing Mao
【Abstract】: Stack Smashing Protection (SSP) is a simple and highly efficient technique widely used in practice as the front line defense against stack buffer overflow attacks. Unfortunately, SSP is known to be vulnerable to the so-called byte-by-byte attack. Although several remedy schemes are proposed in the recent literature, their security is achieved at the price of practicality, because their complex logics ruin SSP's simplicity and high-efficiency. In this paper, we present an elegant solution named as Polymorphic SSP (P-SSP) that attains the same security without sacrificing SSP's strengths. We also propose three extensions of the basic scheme for better compatibility, stronger security, and local variable protection, respectively. We have implemented both a compiler plugin and a binary instrumentation tool for deploying P-SSP. Their respective runtime overheads are only 0.24% and 1.01%. We have also experimented with our extensions and compared their pros and cons with the basic scheme.
【Keywords】: Stack buffer overflow; brute force attack; canary
【Paper Link】 【Pages】:255-266
【Authors】: Amy Babay ; Thomas Tantillo ; Trevor Aron ; Marco Platania ; Yair Amir
【Abstract】: As key components of the power grid infrastructure, Supervisory Control and Data Acquisition (SCADA) systems are likely to be targeted by nation-state-level attackers willing to invest considerable resources to disrupt the power grid. We present Spire, the first intrusion-tolerant SCADA system that is resilient to both system-level compromises and sophisticated network-level attacks and compromises. We develop a novel architecture that distributes the SCADA system management across three or more active sites to ensure continuous availability in the presence of simultaneous intrusions and network attacks. A wide-area deployment of Spire, using two control centers and two data centers spanning 250 miles, delivered nearly 99.999% of all SCADA updates initiated over a 30-hour period within 100ms. This demonstrates that Spire can meet the latency requirements of SCADA for the power grid.
【Keywords】: intrusion tolerance; SCADA; network attack; power grid
【Paper Link】 【Pages】:267-278
【Authors】: Xiaoxiao Yang ; Joost-Pieter Katoen ; Huimin Lin ; Gaoang Liu ; Hao Wu
【Abstract】: Linearizability and progress properties are key correctness notions for concurrent objects. This paper presents novel verification techniques for both property classes. The key of our techniques is based on the branching bisimulation equivalence. We first show that it suffices to check linearizability on the quotient object program under branching bisimulation. This is appealing, as it does not rely on linearization points. Further, by exploiting divergence-sensitive branching bisimilarity, our approach proves progress properties (e.g., lock-, wait-freedom) by comparing the concurrent to-be-verified object program against an abstract program consisting of atomic blocks. Our work thus enables the usage of well-known proof techniques for branching bisimulation to check the correctness of concurrent objects. The potential of our approach is illustrated by verifying linearizability and lock-freedom of 14 benchmark algorithms from the literature. Our experiments confirm one known bug and reveals one new bug.
【Keywords】: concurrent data structure; verification; branching bisimulation; lock-free; linearizability
【Paper Link】 【Pages】:279-290
【Authors】: Guanpeng Li ; Karthik Pattabiraman
【Abstract】: Transient hardware faults are increasing in computer systems due to shrinking feature sizes. Traditional methods to mitigate such faults are through hardware duplication, which incurs huge overhead in performance and energy consumption. Therefore, researchers have explored software solutions such as selective instruction duplication, which require fine-grained analysis of instruction vulnerabilities to Silent Data Corruptions (SDCs). These are typically evaluated via Fault Injection (FI), which is often highly time-consuming. Hence, most studies confine their evaluations to a single input for each program. However, there is often significant variation in the SDC probabilities of both the overall program and individual instructions across inputs, which compromises the correctness of results with a single input. In this work, we study the variation of SDC probabilities across different inputs of a program, and identify the reasons for the variations. Based on the observations, we propose a model, VTRIDENT, which predicts the variations in programs' SDC probabilities without any FIs, for a given set of inputs. We find that VTRIDENT is nearly as accurate as FI in identifying the variations in SDC probabilities across inputs. We demonstrate the use of VTRIDENT to bound overall SDC probability of a program under multiple inputs, while performing FI on only a single input.
【Keywords】: Error Propagation; Soft Error; Silent Data Corruption; Error Resilience; Program Analysis; Multiple Inputs
【Paper Link】 【Pages】:291-302
【Authors】: Peter Buchholz ; Tugrul Dayar
【Abstract】: Fluid Stochastic Petri Nets (FSPNs) which have discrete and continuous places are an established model class to describe and analyze several dependability problems for computer systems, software architectures or critical infrastructures. Unfortunately, their analysis is faced with the curse of dimensionality resulting in very large systems of differential equations for a sufficiently accurate analysis. This contribution introduces a class of FSPNs with a compositional structure and shows how the underlying stochastic process can be described by a set of coupled partial differential equations. Using semi discretization, a set of linear ordinary differential equations is generated which can be described by a (hierarchical) sum of Kronecker products. Based on this compact representation of the transition matrix, a numerical solution approach is applied which also represents transient solution vectors in compact form using the recently developed concept of a Hierarchical Tucker Decomposition. The applicability of the approach is presented in a case study analyzing a degrading software system with rejuvenation, restart, and replication.
【Keywords】: Performance and Dependability Analysis; Hybrid Stochastic Models; Flui Stochastic Petri Nets; Numerical Algorithms; Data Structures
【Paper Link】 【Pages】:303-313
【Authors】: Cyrille Jégourel ; Jingyi Wang ; Jun Sun
【Abstract】: In real-world systems, rare events often characterize critical situations like the probability that a system fails within some time bound and they are used to model some potentially harmful scenarios in dependability of safety-critical systems. Probabilistic Model Checking has been used to verify dependability properties in various types of systems but is limited by the state space explosion problem. An alternative is the recourse to Statistical Model Checking (SMC) that relies on Monte Carlo simulations and provides estimates within predefined error and confidence bounds. However, rare properties require a large number of simulations before occurring at least once. To tackle the problem, Importance Sampling, a rare event simulation technique, has been proposed in SMC for different types of probabilistic systems. Importance Sampling requires the full knowledge of probabilistic measure of the system, e.g. Markov chains. In practice, however, we often have models with some uncertainty, e.g., Interval Markov Chains. In this work, we propose a method to apply importance sampling to Interval Markov Chains. We show promising results in applying our method to multiple case studies.
【Keywords】: Rare Events; Importance Sampling; Markov Chains; Interval Markov Chains; Dependability; Statistical Model Checking
【Paper Link】 【Pages】:314-321
【Authors】: Atieh Lotfi ; Nirmal R. Saxena ; Richard Bramley ; Paul Racunas ; Philip P. Shirvani
【Abstract】: Cache structures on modern GPUs or CPUs occupy a large area and are frequently accessed. This increases their vulnerability to transient errors. With some area and energy overhead, these structures are often protected by ECC or parity checking. However, in deference to the energy efficiency and scalability challenges in high-performance computing, it is crucial to minimize any unnecessary overhead while maintaining the desired reliability. This paper evaluates the reliability of unprotected tag SRAM structures in modern GPUs, and studies the use of a low-overhead tag error mitigation mechanism. The proposed mechanism exploits Galois-based hash functions for set-index calculation to mitigate some pathological address strides that cause false hit events. Extensive analysis on a modern GPU indicates that the hash-based mechanism yields 10x reduction in false hit probability (with 2% improvement in hit rate) for write-through data caches when compared to a baseline cache indexing scheme.
【Keywords】: GPU resiliency; Tag error mitigation
【Paper Link】 【Pages】:322-329
【Authors】: Ilya Tuzov ; David de Andrés ; Juan Carlos Ruiz
【Abstract】: The high complexity of new designs and time-to-market pressure have caused design reuse to be at the heart of the common semi-custom hardware design flow. Accordingly, current Electronic Design Automation (EDA) toolchains are developed to support a wide range of hardware description languages, third-party EDA tools, intellectual property cores, and implementation technologies and goals. However, the seamless integration of dependability requirements into such toolchains remains today an open challenge. This paper presents DAVOS, an EDA toolkit supporting assessment, verification, optimisation (design space exploration), and selection (benchmarking) processes for dependability-aware hardware implementations. This toolkit fully automates these processes with efficiency and flexibility in mind, so underlying implementation and analysis phases can be customized to consider alternative off-the-self languages, tools, components and technologies from a dependability perspective. Three different embedded processor models exemplify the design scenarios supported by DAVOS.
【Keywords】: Electronic Design Automation; Dependability assessment; Verification; Optimisation; Dependability benchmarking; Design Space Exploration
【Paper Link】 【Pages】:330-337
【Authors】: Konstantinos Parasyris ; Panos K. Koutsovasilis ; Vassilis Vassiliadis ; Christos D. Antonopoulos ; Nikolaos Bellas ; Spyros Lalis
【Abstract】: To improve power efficiency, researchers are experimenting with dynamically adjusting the voltage and frequency margins of systems to just above the minimum required for reliable operation. Traditionally, manufacturers did not allow reducing these margins. Consequently, existing studies use system simulators, or software fault-injection methodologies, which are slow, inaccurate and cannot be applied on realistic workloads. However recent CPUs allow the operation outside the nominal voltage/frequency envelope. We present eXtended Margins eXperiment Manager (XM 2 ) which enables the evaluation of software on systems operating outside their nominal margins. It supports both bare-metal and OS-controlled execution using an API to control the fault injection procedure and provides automatic management of experimental campaigns. XM 2 requires, on average, 5.6% extra lines of code and increases the application execution time by 2.5%. To demonstrate the flexibility of XM 2 , we perform three case studies: two employing bare-metal execution on a raspberry PI, and one featuring a full-fledged software stack (including OS) on an Intel Skylake Xeon processor.
【Keywords】: fault injection; voltage margins
【Paper Link】 【Pages】:338-349
【Authors】: Sam Ainsworth ; Timothy M. Jones
【Abstract】: Microprocessor error detection is increasingly important, as the number of transistors in modern systems heightens their vulnerability. In addition, many modern workloads in domains such as the automotive and health industries are increasingly error intolerant, due to strict safety standards. However, current detection techniques require duplication of all hardware structures, causing a considerable increase in power consumption and chip area. Solutions in the literature involve running the code multiple times on the same hardware, which reduces performance significantly and cannot capture all errors. We have designed a novel hardware-only solution for error detection, that exploits parallelism in checking code which may not exist in the original execution. We pair a high-performance out-of-order core with a set of small low-power cores, each of which checks a portion of the out-of-order core's execution. Our system enables the detection of both hard and soft errors, with low area, power and performance overheads.
【Keywords】: fault tolerance; microarchitecture; error detection
【Paper Link】 【Pages】:350-361
【Authors】: Qinwen Hu ; Muhammad Rizwan Asghar ; Nevil Brownlee
【Abstract】: Traditional address scanning attacks mainly rely on the naive 'brute forcing' approach, where the entire IPv4 address space is exhaustively searched by enumerating different possibilities. However, such an approach is inefficient for IPv6 due to its vast subnet size (i.e., 2 64 ). As a result, it is widely assumed that address scanning attacks are less feasible in IPv6 networks. In this paper, we evaluate new IPv6 reconnaissance techniques in real IPv6 networks and expose how to leverage the Domain Name System (DNS) for IPv6 network reconnaissance. We collected IPv6 addresses from 5 regions and 100,000 domains by exploiting DNS reverse zone and DNSSEC records. We propose a DNS Guard (DNSG) to efficiently detect DNS reconnaissance attacks in IPv6 networks. DNSG is a plug and play component that could be added to the existing infrastructure. We implement DNSG using Bro and Suricata. Our results demonstrate that DNSG could effectively block DNS reconnaissance attacks.
【Keywords】: IPv6; DNS; IDS; Reconnaissance
【Paper Link】 【Pages】:362-373
【Authors】: Lin Jin ; Shuai Hao ; Haining Wang ; Chase Cotton
【Abstract】: The increasing prevalence of Distributed Denial of Service (DDoS) attacks on the Internet has led to the wide adoption of DDoS Protection Service (DPS), which is typically provided by Content Delivery Networks (CDNs) and is integrated with CDN's security extensions. The effectiveness of DPS mainly relies on hiding the IP address of an origin server and rerouting the traffic to the DPS provider's distributed infrastructure, where malicious traffic can be blocked. In this paper, we perform a measurement study on the usage dynamics of DPS customers and reveal a new vulnerability in DPS platforms, called residual resolution, by which a DPS provider may leak origin IP addresses when its customers terminate the service or switch to other platforms, resulting in the failure of protection from future DPS providers as adversaries are able to discover the origin IP addresses and launch the DDoS attack directly to the origin servers. We identify that two major DPS/CDN providers, Cloudflare and Incapsula, are vulnerable to such residual resolution exposure, and we then assess the magnitude of the problem in the wild. Finally, we discuss the root causes of residual resolution and the practical countermeasures to address this security vulnerability.
【Keywords】: DDoS; DPS; Origin Exposure; Residual Resolution
【Paper Link】 【Pages】:374-385
【Authors】: Richard Skowyra ; Lei Xu ; Guofei Gu ; Veer Dedhia ; Thomas Hobson ; Hamed Okhravi ; James Landry
【Abstract】: As Software-Defined Networking has gained increasing prominence, new attacks have been demonstrated which can corrupt the SDN controller's view of network topology. These topology poisoning attacks, most notably host-location hijacking and link fabrication attacks, enable adversaries to impersonate end-hosts or inter-switch links in order to monitor, corrupt, or drop network flows. In response, defenses have been developed to detect such attacks and raise an alert. In this paper, we analyze two such defenses, TopoGuard and Sphinx, and present two new attacks, Port Probing and Port Amnesia, that can successfully bypass them. We then develop and present extensions to TopoGuard to make it resilient to such attacks.
【Keywords】: Software-Defined Networking; Network Security
【Paper Link】 【Pages】:386-397
【Authors】: David Goltzsche ; Signe Rüsch ; Manuel Nieke ; Sébastien Vaucher ; Nico Weichbrodt ; Valerio Schiavoni ; Pierre-Louis Aublin ; Paolo Costa ; Christof Fetzer ; Pascal Felber ; Peter R. Pietzuch ; Rüdiger Kapitza
【Abstract】: Many organisations enhance the performance, security, and functionality of their managed networks by deploying middleboxes centrally as part of their core network. While this simplifies maintenance, it also increases cost because middlebox hardware must scale with the number of clients. A promising alternative is to outsource middlebox functions to the clients themselves, thus leveraging their CPU resources. Such an approach, however, raises security challenges for critical middlebox functions such as firewalls and intrusion detection systems. We describe EndBox, a system that securely executes middlebox functions on client machines at the network edge. Its design combines a virtual private network (VPN) with middlebox functions that are hardware-protected by a trusted execution environment (TEE), as offered by Intel's Software Guard Extensions (SGX). By maintaining VPN connection endpoints inside SGX enclaves, EndBox ensures that all client traffic, including encrypted communication, is processed by the middlebox. Despite its decentralised model, EndBox's middlebox functions remain maintainable: they are centrally controlled and can be updated efficiently. We demonstrate EndBox with two scenarios involving (i) a large company; and (ii) an Internet service provider that both need to protect their network and connected clients. We evaluate EndBox by comparing it to centralised deployments of common middlebox functions, such as load balancing, intrusion detection, firewalling, and DDoS prevention. We show that EndBox achieves up to 3.8x higher throughput and scales linearly with the number of clients.
【Keywords】: Middlebox; Trusted Execution; Offloading
【Paper Link】 【Pages】:398-409
【Authors】: Jia Chen ; Ge Han ; Shanqing Guo ; Wenrui Diao
【Abstract】: Recent years have witnessed the enormous growth of Android phones in the consumer market. On the other hand, as the most popular mobile platform, Android also attracts lots of attackers' attention. As a result, more and more Android malicious apps appear in the wild, which poses a serious threat to user's security and privacy. To such massive volume of Android malware, automated UI testing techniques have become the mainstream solutions because of the detection efficiency and accuracy. However, all existing UI testing techniques treat the Activity as the basic unit of UI interactions and cannot carry out a fine-grained analysis for Fragments. Due to the lack of Fragment-level analysis, the path coverage is usually quite limited. To fill this gap, in this paper, we propose FragDroid, a novel automated UI testing framework supporting both Activity and Fragment analysis. To achieve the Fragment-level testing, we design the Activity & Fragment Transition Model (AFTM) to simulate the internal interactions of an app, and ATFM could be utilized to generate test cases automatically through UI interactions. With the assist of AFTM, FragDroid achieves accessing most Activities and Fragments contained in the app along with the capability of detecting arbitrary API calls. We implemented a prototype of FragDroid and evaluated it on 15 popular apps. The results show FragDroid successfully covered 66% Fragments and the corresponding API calls of testing apps. Also, the traditional approaches have to miss at least 9.6% of API calls invoked in Fragments.
【Keywords】: Android Test; Fragment; Activity; Automated Analysis
【Paper Link】 【Pages】:410-417
【Authors】: Edgardo Barsallo Yi ; Amiya Maji ; Saurabh Bagchi
【Abstract】: As wearable devices like smartwatches and fitness monitors gain in popularity and are being touted for clinical purposes, it becomes important to evaluate the reliability of Android Wear OS and apps on such devices. To date there has been no study done by systematic error injection into the OS or the apps. We address this gap in this work. We develop and open source a fuzz testing tool for Android Wear apps and services, called Qui-Gon Jinn (QGJ). We perform an extensive fault injection study by mutating inter-process communication messages and UI events and direct about 1.5M such mutated events at 46 apps. These apps are divided into two categories: health/fitness and other. The results of our study show some patterns distinct from prior studies of Android. Over the years, input validation has improved and fewer NullPointerExceptions are seen, however, Android Wear apps crash from unhandled IllegalStateExceptions at a higher rate. There are occasional troubling cases of the entire device rebooting due to unprivileged mutated messages. Reassuringly the apps are quite robust to mutations of UI events with only 0.05% of them causing an app crash.
【Keywords】: android; android wear; fuzz; robustness; wearable
【Paper Link】 【Pages】:418-429
【Authors】: Le Yu ; Jiachi Chen ; Hao Zhou ; Xiapu Luo ; Kang Liu
【Abstract】: Removing all function errors is critical for making successful mobile apps. Since app testing may miss some function errors given limited time and resource, the user reviews of mobile apps are very important to developers for learning the uncaught errors. Unfortunately, manually handling each review is time-consuming and even error-prone. Existing studies on mobile apps' reviews could not help developers effectively locate the problematic code according to the reviews, because the majority of such research does not take into account apps' code. Moreover, recent studies on mapping reviews to problematic source files just look for the matching between the words in reviews and that in source code, and thus result in many false positives and false negatives. In this paper, we propose a novel approach to localize function errors in mobile apps by exploiting the context information in user reviews and correlating the reviews and bytecode through their semantic meanings. We realize our new approach as a tool named ReviewSolver, and carefully evaluate it with reviews of real apps. The experimental result shows that ReviewSolver has much better performance than the state-of-the-art tool.
【Keywords】: Review; bug; Android; Static Analysis; NLP
【Paper Link】 【Pages】:430-441
【Authors】: Kai Cheng ; Qiang Li ; Lei Wang ; Qian Chen ; Yaowen Zheng ; Limin Sun ; Zhenkai Liang
【Abstract】: A rising number of embedded devices are reachable in the cyberspace, such as routers, cameras, printers, etc. Those devices usually run firmware whose code is proprietary with few public documents. Furthermore, most of the firmware images cannot be analyzed in dynamic analysis due to various hardware-specific peripherals. As a result, it hinders traditional static analysis and dynamic analysis techniques. In this paper, we propose a static binary analysis approach, DTaint, to detect taint-style vulnerabilities in the firmware. The taint-style vulnerability is a typical class of weakness, where the input data reaches a sensitive sink through an unsafe path. Specifically, we generate data dependency in a bottom-up manner through traversing callees before callers. To reduce the influence of the binary firmware, DTaint identifies pointer aliasing, interprocedural data flow, and similarity of the data structure layout. We have implemented a prototype of DTaint and conducted experiments to evaluate its performance. Our results show that DTaint discovers more vulnerabilities in less time, compared with the existing techniques. Furthermore, we illustrate the effectiveness of DTaint through applying it over six firmware images from four manufacturers. We have found 21 vulnerabilities, where 13 of them are previously-unknown and zero-day vulnerabilities.
【Keywords】: Taint style Vulnerability; Firmware
【Paper Link】 【Pages】:442-453
【Authors】: Lei Zhang ; Douglas Blough
【Abstract】: Confidentiality is a fundamental goal in many security contexts. Deception is another goal in which the intention is to mislead adversaries, for example by planting false information in a system. In this paper, we consider an approach that combines confidentiality and deception using secret sharing, which has traditionally been used strictly for confidentiality purposes. The motivation for this is to protect confidentiality as far as possible while acknowledging that no confidentiality scheme provides perfect protection. If confidentiality is breached and information is accessed by unauthorized individuals, our techniques will reveal, with high probability, only false information. This provides deception on top of the confidentiality provided by ordinary secret sharing. We refer to our approach as "deceptive secret sharing" and we present techniques that work with both XOR secret sharing and Shamir's polynomial-based threshold secret sharing. We provide extensive evaluations of both overhead and security of our techniques and we also show how they provide tunable security that can trade off security and overhead by varying a single parameter of the schemes.
【Keywords】: secret sharing; deception; confidentiality; cloud storage security
【Paper Link】 【Pages】:454-465
【Authors】: Bing Chang ; Fengwei Zhang ; Bo Chen ; Yingjiu Li ; Wen Tao Zhu ; Yangguang Tian ; Zhan Wang ; Albert Ching
【Abstract】: We introduce MobiCeal, the first practical Plausibly Deniable Encryption (PDE) system for mobile devices that can defend against strong coercive multi-snapshot adversaries, who may examine the storage medium of a user's mobile device at different points of time and force the user to decrypt data. MobiCeal relies on "dummy write" to obfuscate the differences between multiple snapshots of storage medium due to existence of hidden data. By incorporating PDE in block layer, MobiCeal supports a broad deployment of any block-based file systems on mobile devices. More importantly, MobiCeal is secure against side channel attacks which pose a serious threat to existing PDE schemes. A proof of concept implementation of MobiCeal is provided on an LG Nexus 4 Android phone using Android 4.2.2. It is shown that the performance of MobiCeal is significantly better than prior PDE systems against multi-snapshot adversaries.
【Keywords】: Plausibly Deniable Encryption; Mobile Security; Multi snapshot Adversary; Side Channel Attack; Fast Switching
【Paper Link】 【Pages】:466-477
【Authors】: Antoine Boutet ; Florestant De Moor ; Davide Frey ; Rachid Guerraoui ; Anne-Marie Kermarrec ; Antoine Rault
【Abstract】: Recommendation systems help users identify interesting content, but they also open new privacy threats. In this paper, we deeply analyze the effect of a Sybil attack that tries to infer information on users from a user-based collaborative-filtering recommendation systems. We discuss the impact of different similarity metrics used to identity users with similar tastes in the trade-off between recommendation quality and privacy. Finally, we propose and evaluate a novel similarity metric that combines the best of both worlds: a high recommendation quality with a low prediction accuracy for the attacker. Our results, on a state-of-the-art recommendation framework and on real datasets show that existing similarity metrics exhibit a wide range of behaviors in the presence of Sybil attacks, while our new similarity metric consistently achieves the best trade-off while outperforming state-of-the-art solutions.
【Keywords】: Collaborative Filtering; Sybil Attack; privacy
【Paper Link】 【Pages】:478-489
【Authors】: Julien Duchêne ; Eric Alata ; Vincent Nicomette ; Mohamed Kaâniche ; Colas Le Guernic
【Abstract】: This paper proposes a new obfuscation technique of a communication protocol that is aimed at making the reverse engineering of the protocol more complex. The obfuscation is based on the transformation of protocol message format specification. The obfuscating transformations are applied to the Abstract Syntax Tree (AST) representation of the messages and mainly concern the ordering or aggregation of the AST nodes. The paper also presents the design of a framework that implements the proposed obfuscation technique by automatically generating, from the specification of the message format, a library performing the corresponding transformations. Finally, our framework is applied to two real application protocols (Modbus and HTTP) to illustrate the relevance and efficiency of the proposed approach. Various metrics recorded from the experiments show the significant increase of the complexity of the obfuscated protocol binary compared to the non-obfuscated code. It is also shown that the execution time and memory overheads remain acceptable for a practical deployment of the approach in operation.
【Keywords】: security; obfuscation; communication protocols
【Paper Link】 【Pages】:490-501
【Authors】: Sangwoo Kim ; Seokmyung Hong ; Jaesang Oh ; Heejo Lee
【Abstract】: Malware using document files as an attack vector has continued to increase and now constitutes a large portion of phishing attacks. To avoid anti-virus detection, malware writers usually implement obfuscation techniques in their source code. Although obfuscation is related to malicious code detection, little research has been conducted on obfuscation with regards to Visual Basic for Applications (VBA) macros. In this paper, we summarize the obfuscation techniques and propose an obfuscated macro code detection method using five machine learning classifiers. To train these classifiers, our proposed method uses 15 discriminant static features, taking into account the characteristics of the VBA macros. We evaluated our approach using a real-world dataset of obfuscated and non-obfuscated VBA macros extracted from Microsoft Office document files. The experimental results demonstrate that our detection approach achieved a F2 score improvement of greater than 23% compared to those of related studies.
【Keywords】: Machine learning; VBA macro; Microsoft Office document; Macro malware; Obfuscation
【Paper Link】 【Pages】:502-513
【Authors】: Christopher Michael Bailey ; Rogério de Lemos
【Abstract】: Self-adaptive systems are able to modify their behaviour and/or structure in response to changes that occur to the system itself, its environment, or even its goals. In terms of authorisation infrastructures, self-adaptation has been shown to provide runtime capabilities for specifying and enforcing access control policies and subject access privileges, with a goal to mitigate insider threat. The evaluation of self-adaptive authorisation infrastructures, particularly, in the context of insider threats, is challenging because simulation of malicious behaviour can only demonstrate a fraction of the types of abuse that is representative of the real-world. In this paper, we present an innovative approach based on an ethical game of hacking, protected by an authorisation infrastructure. A key feature of the approach is the ability to observe user activity pre- and post-adaptation when evaluating runtime consequences of self-adaptation. Our live experiments captured a wide range of unpredictable changes, including malicious behaviour related to the exploitation of known vulnerabilities. As an outcome, we demonstrated the ability of our self-adaptive authorisation infrastructure to handle malicious behaviour given the existence of real and intelligent users, in addition to capturing how users responded to adaptation.
【Keywords】: insider threats; authorisation infrastructures; self-adaptive systems; gamification
【Paper Link】 【Pages】:514-525
【Authors】: Ahmed M. Fawaz ; Mohammad A. Noureddine ; William H. Sanders
【Abstract】: We propose POWERALERT, an efficient external integrity checker for untrusted hosts. Current attestation systems suffer from shortcomings, including requiring a complete checksum of the code segment, from being static, use of timing information sourced from the untrusted machine, or using imprecise timing information such as network round-trip time. We address those shortcomings by (1) using power measurements from the host to ensure that the checking code is executed and (2) checking a subset of the kernel space over an extended period. We compare the power measurement against a learned power model of the execution of the machine and validate that the execution was not tampered. Finally, POWERALERT randomizes the integrity checking program to prevent the attacker from adapting. We model the interaction between POWERALERT and an attacker as a time-continuous game. The Nash equilibrium strategy of the game shows that POWERALERT has two optimal strategy choices: (1) aggressive checking that forces the attacker into hiding, or (2) slow checking that minimizes cost. We implement a prototype of POWERALERT using Raspberry Pi and evaluate the performance of the integrity checking program generation.
【Keywords】: integrity checking; game theory; attestation; power attestation
【Paper Link】 【Pages】:526-533
【Authors】: Elena Troubitsyna ; Irum Rauf
【Abstract】: Authorization is an important security concern in cloud computing environments. It aims at regulating an access of the users to system resources. A large number of resources associated with REST APIs typical in cloud makes an implementation of security requirements challenging and error-prone. To alleviate this problem, in this paper we propose an implementation of security cloud monitor. We rely on model-driven approach to represent the functional and security requirements. Models are then used to generate cloud monitors. The cloud monitors contain contracts used to automatically verify the implementation. We use Django web framework to implement cloud monitor and OpenStack to validate our implementation.
【Keywords】: Cloud Monitors; Openstack; Models; UML; Security; MDSE; Private Clouds; Cinder
【Paper Link】 【Pages】:534-541
【Authors】: Francisco Neves ; Nuno Machado ; JosA Pereira
【Abstract】: Programmers and support engineers typically rely on log data to narrow down the root cause of unexpected behaviors in dependable distributed systems. Unfortunately, the inherently distributed nature and complexity of such distributed executions often leads to multiple independent logs, scattered across different physical machines, with thousands or millions entries poorly correlated in terms of event causality. This renders log-based debugging a tedious, time-consuming, and potentially inconclusive task. We present Falcon, a tool aimed at making log-based analysis of distributed systems practical and effective. Falcon's modular architecture, designed as an extensible pipeline, allows it to seamlessly combine several distinct logging sources and generate a coherent space-time diagram of distributed executions. To preserve event causality, even in the presence of logs collected from independent unsynchronized machines, Falcon introduces a novel happens-before symbolic formulation and relies on an off-the-shelf constraint solver to obtain a coherent event schedule. Our case study with the popular distributed coordination service Apache Zookeeper shows that Falcon eases the log-based analysis of complex distributed protocols and is helpful in bridging the gap between protocol design and implementation.
【Keywords】: distributed systems; log-based analysis; execution flow
【Paper Link】 【Pages】:542-553
【Authors】: Simon Bouget ; Yérom-David Bromberg ; Adrien Luxey ; François Taïani
【Abstract】: Modern large scale distributed systems increasingly espouse sophisticated distributed architectures characterized by complex distributed structural invariants. Unfortunately, maintaining these structural invariants at scale is time consuming and error prone, as developers must take into account asynchronous failures, loosely coordinated sub-systems and network delays. To address this problem, we propose PLEIADES, a new framework to construct and enforce large-scale distributed structural invariants under aggressive conditions. PLEIADES combines the resilience of self-organizing overlays, with the expressiveness of an assembly-based design strategy. The result is a highly survivable framework that is able to dynamically maintain arbitrary complex distributed structures under aggressive crash failures. Our evaluation shows in particular that PLEIADES is able to restore the overall structure of a 25,600 node system in less than 11 asynchronous rounds after half of the nodes have crashed.
【Keywords】: invariant; topology; large scale systems; distributed systems; gossip; epidemic protocols; maintenance; resilience
【Paper Link】 【Pages】:554-561
【Authors】: Daniel Porto ; João Leitão ; Flavio Junqueira ; Rodrigo Rodrigues
【Abstract】: The design of distributed protocols that run in data centers and enterprise clusters is heavily dependent on synchrony assumptions regarding the timing behavior of the participating nodes and the network. However, little is known about the actual synchrony of real distributed systems, and how it varies across deployments. To better understand this timing behavior and how it impacts the design and implementation of distributed protocols, we conduct an extensive measurement study of the latency for transmitting and processing messages between nodes in four different environments. Our study determines how protocol characteristics affect the latency behavior. We also determine how different environmental factors can affect the measured latency and whether high latency events manifest globally or locally. Our results suggest several directions for reducing latency, and for leveraging recent distributed computing models in a more judicious way.
【Keywords】: Measurement study; Latency; Distributed systems; Synchrony
【Paper Link】 【Pages】:562-573
【Authors】: Sadegh Torabi ; Elias Bou-Harb ; Chadi Assi ; Mario Galluscio ; Amine Boukhtouta ; Mourad Debbabi
【Abstract】: Recent attacks have highlighted the insecurity of the Internet of Things (IoT) paradigm by demonstrating the impacts of leveraging Internet-scale compromised IoT devices. In this paper, we address the lack of IoT-specific empirical data by drawing upon more than 5TB of passive measurements. We devise data-driven methodologies to infer compromised IoT devices and those targeted by denial of service attacks. We perform large-scale characterization analysis of their traffic, as well as explore a public threat repository and an in-house malware database, to underlie their malicious activities. The results expose a significant 26 thousand compromised IoT devices "in the wild," with 40% being active in critical infrastructure. More importantly, we uncover new, previously unreported malware variants that specifically target IoT devices. Our empirical results render a first attempt to highlight the large-scale insecurity of the IoT paradigm, while alarming about the rise of new generations of IoT-centric malware-orchestrated botnets.
【Keywords】: compromised IoT; darknet; Internet scanning; backscatter; DDoS; cyber physical systems; consumer IoT
【Paper Link】 【Pages】:574-585
【Authors】: Pinyao Guo ; Hunmin Kim ; Nurali Virani ; Jun Xu ; Minghui Zhu ; Peng Liu
【Abstract】: Mobile robots such as unmanned vehicles integrate heterogeneous capabilities in sensing, computation, and control. They are representative cyber-physical systems where the cyberspace and the physical world are strongly coupled. However, the safety of mobile robots is significantly threatened by cyber/physical attacks and software/hardware failures. These threats can thwart normal robot operations and cause robot misbehaviors. In this paper, we propose a novel anomaly detection system, which leverages physical dynamics of mobile robots to detect misbehaviors in sensors and actuators. We explore issues raised in real-world implementations, e.g., distinctive robot dynamic models, sensor quantity and quality, decision parameters, etc., for practicality purposes. We implement the detection system on two types of mobile robots and evaluate the detection performance against various misbehavior scenarios, including signal interference, sensor spoofing, logic bomb and physical jamming. The experiments show detection effectiveness and small detection delays.
【Keywords】: anomaly detection; mobile robot; cyber physical system; input and state estimation
【Paper Link】 【Pages】:586-597
【Authors】: Subho S. Banerjee ; Saurabh Jha ; James Cyriac ; Zbigniew T. Kalbarczyk ; Ravishankar K. Iyer
【Abstract】: Autonomous vehicle (AV) technology is rapidly becoming a reality on U.S. roads, offering the promise of improvements in traffic management, safety, and the comfort and efficiency of vehicular travel. The California Department of Motor Vehicles (DMV) reports that between 2014 and 2017, manufacturers tested 144 AVs, driving a cumulative 1,116,605 autonomous miles, and reported 5,328 disengagements and 42 accidents involving AVs on public roads. This paper investigates the causes, dynamics, and impacts of such AV failures by analyzing disengagement and accident reports obtained from public DMV databases. We draw several conclusions. For example, we find that autonomous vehicles are 15 - 4000Ã- worse than human drivers for accidents per cumulative mile driven; that drivers of AVs need to be as alert as drivers of non-AVs; and that the AVs' machine-learning-based systems for perception and decision-and-control are the primary cause of 64% of all disengagements.
【Keywords】: Autonomous Vehicles; Reliability; Fault Characterization; Disengagement; Accident
【Paper Link】 【Pages】:598-609
【Authors】: Radha Venkatagiri ; Karthik Swaminathan ; Chung-Ching Lin ; Liang Wang ; Alper Buyuktosunoglu ; Pradip Bose ; Sarita V. Adve
【Abstract】: In this work, we examine the resiliency of a state-of-the-art end-to-end video summarization (VS) application that serves as a representative emerging workload in the domain of real time edge computing. The VS application constitutes key video and image analytic elements that are processed by embedded systems aboard unmanned aerial vehicles (UAVs). Real-time performance and energy constraints motivate the consideration of approximations to the VS algorithm. However, mission-critical UAV applications also demand stringent levels of resilience to soft errors that are exacerbated with higher altitude. In this work, we study the effects of three different types of software approximations on the application level resiliency (to soft errors) of the VS algorithm. We show that our approximations yield significant energy savings (up to 68%), with commensurate improvement in performance, without a degradation in the application resilience. Further, by proposing a novel quality metric (appropriate for the UAV vision analytics domain) for the summarized video output, we show that even though the rate of Silent Data Corruptions (SDCs) increases slightly (<;2%), the impact of these SDCs on output quality is limited. Thus, we conclude that software approximation can be utilized to achieve significant gains in performance and energy without affecting application resiliency.
【Keywords】: Hardware Resiliency; Approximate Computing; Soft errors; Real time vision analytics
【Paper Link】 【Pages】:610-621
【Authors】: Jiwon Choi ; Hayoung Jeoung ; Jihun Kim ; Youngjoo Ko ; Wonup Jung ; Hanjun Kim ; Jong Kim
【Abstract】: A fast and reliable method to detect faulty IoT devices is indispensable in IoT environments. In this paper, we present DICE, an automatic method to detect and identify faulty IoT devices with context extraction. Our system works in two phases. In a precomputation phase, the system precomputes sensor correlation and the transition probability between sensor states known as context. During a real-time phase, the system finds a violation of sensor correlation and transition to detect and identify the faults. In detection, we analyze the sensor data to find any missing or newly reacting IoT devices that are deviating from already grouped correlated sensors, and state transition to find the presence of an abnormal sequence. Then, the system identifies the faulty device by comparing the problematic context with the probable ones. We demonstrate that DICE identifies faulty devices accurately and promptly through the evaluation on various fault types and datasets.
【Keywords】: Context Extraction; Fault Detection; Identification; Internet of Things; Smart Home
【Paper Link】 【Pages】:622-633
【Authors】: Kun Xie ; Heng Tao ; Xin Wang ; Gaogang Xie ; Jigang Wen ; Jiannong Cao ; Zheng Qin
【Abstract】: Ensuring transmission survivability is a crucial problem for high-speed networks. Path protection is a fast and capacity-efficient approach for increasing the availability of end to end connections. The emerging SDN infrastructure makes it feasible to provide diversity routing in a practical network. For more robust path protection, it is desirable to provide an alternative path that does not share any risk resource with the active path. We consider finding the SRLG-Disjoint paths, where a Shared Risk Link Group (SRLG) is a group of network links that share a common physical resource whose failure will cause the failure of all links of the group. Since the traffic is carried on the active path most of time, it is useful that the weight of the shorter path of the disjoint path pair is minimized, and we call it Min-Min SRLG-Disjoint routing problem. The key issue faced by SRLG-Disjoint routing is the trap problem, where the SRLG-disjoint backup path (BP) can not be found after an active path (AP) is decided. Based on the min-cut of the graph, we design an efficient algorithm that can take advantage of existing search results to quickly look for the SRLG-Disjoint path pair. Our performance studies demonstrate that our algorithm can outperform other approaches with a higher routing performance while also at a much faster speed.
【Keywords】: Shared Risk Link Groups (SRLG); SRLG Disjoint Routing; Max-Flow Min-Cut Theorem
【Paper Link】 【Pages】:634-641
【Authors】: Tomas Hlavacek ; Amir Herzberg ; Haya Shulman ; Michael Waidner
【Abstract】: Performing Route Origin Validation (ROV) to filter BGP announcements, which contradict Route Origin Authorizations (ROAs) is critical for protection against BGP prefix hijacks. Recent works quantified ROV enforcing Autonomous Systems (ASes) using control-plane experiments. In this work we show that control-plane experiments do not provide accurate information about ROV-enforcing ASes. We devise data-plane approaches for evaluating ROV in the Internet and perform both control and data-plane experiments using different data acquisition sources. We analyze and correlate the results of our study to identify the number of ASes enforcing ROV, and hence protected with RPKI. We perform simulations with the ROV-enforcing ASes that we identified, and find that their impact on the Internet security against prefix hijacks is negligible. As a countermeasure we provide recommendations how to cope with the main factor hindering wide adoption of ROV.
【Keywords】: RPKI; Route Origin Validation; ROV; Controlled Experiments; BGP
【Paper Link】 【Pages】:642-653
【Authors】: Catello Di Martino ; Ugo Giordano ; Nishok Mohanasamy ; Stefano Russo ; Marina Thottan
【Abstract】: The following topics are dealt with: security of data; computer network security; program diagnostics; invasive software; Internet; fault tolerant computing; program debugging; public domain software; cloud computing; and embedded systems.
【Keywords】: telecom operator; sdn; telco cloud; benchmarking; performance
【Paper Link】 【Pages】:654-665
【Authors】: Baojun Liu ; Chaoyi Lu ; Zhou Li ; Ying Liu ; Hai-Xin Duan ; Shuang Hao ; Zaifeng Zhang
【Abstract】: Internationalized Domain Names (IDNs) are domain names containing non-ASCII characters. Despite its installation in DNS for more than 15 years, little has been done to understand how this initiative was developed and its security implications. In this work, we aim to fill this gap by studying the IDN ecosystem and cyber-attacks abusing IDN. In particular, we performed by far the most comprehensive measurement study using IDNs discovered from 56 TLD zone files. Through correlating data from auxiliary sources like WHOIS, passive DNS and URL blacklists, we gained many insights. Our discoveries are multi-faceted. On one hand, 1.4 million IDNs were actively registered under over 700 registrars, and regions within east Asia have seen prominent development in IDN registration. On the other hand, most of the registrations were opportunistic: they are currently not associated with meaningful websites and they have severe configuration issues (e.g., shared SSL certificates). What is more concerning is the rising trend of IDN abuse. So far, more than 6K IDNs were determined as malicious by URL blacklists and we also identified 1,516 and 1,497 IDNs showing high visual and semantic similarity to reputable brand domains (e.g., apple.com). Meanwhile, brand owners have only registered a few of these domains. Our study suggests the development of IDN needs to be re-examined. New solutions and proposals are needed to address issues like its inadequate usage and new attack surfaces.
【Keywords】: Internationalized Domain Name; Domain abuse; Network measurement
【Paper Link】 【Pages】:666-677
【Authors】: Hui Xu ; Yangfan Zhou ; Yu Kang ; Fengzhi Tu ; Michael R. Lyu
【Abstract】: Control-flow obfuscation increases program complexity by semantic-preserving transformation. Opaque predicates are essential gadgets to achieve such transformation. However, we observe that real-world opaque predicates are generally very simple and engage little security consideration. Recently, such insecure opaque predicates have been severely attacked by symbolic execution-based adversaries and jeopardize the security of control-flow obfuscation. This paper, therefore, proposes symbolic opaque predicates which can be resilient to symbolic execution-based adversaries. We design a general framework to compose such opaque predicates, which requires introducing challenging symbolic analysis problems (e.g., symbolic memory) in each opaque predicate. In this way, we may mislead symbolic execution engines into reaching false conclusions. We observe a novel bi-opaque property about symbolic opaque predicates, which can incur not only false negative issues but also false positive issues to attackers. To evaluate the efficacy of our idea, we have implemented a prototype obfuscation tool based on Obfuscator-LLVM and conduct experiments with real-world programs. Our evaluation results show that symbolic opaque predicates demonstrate excellent resilience to prevalent symbolic execution engines, such as BAP, Triton, and Angr. Moreover, although the costs of symbolic opaque predicates may vary for different problem settings, some predicates can be very efficient. Therefore, our framework is both secure and usable. Users can follow the framework to introduce symbolic opaque predicates into their obfuscation tools and made them more powerful.
【Keywords】: obfuscation; symbolic execution
【Paper Link】 【Pages】:678-689
【Authors】: Angello Astorga ; Siwakorn Srisakaokul ; Xusheng Xiao ; Tao Xie
【Abstract】: When tests fail (e.g., throwing uncaught exceptions), automatically inferred preconditions can bring various debugging benefits to developers. If illegal inputs cause tests to fail, developers can directly insert the preconditions in the method under test to improve its robustness. If legal inputs cause tests to fail, developers can use the preconditions to infer failure-inducing conditions. To automatically infer preconditions for better support of debugging, in this paper, we propose PREINFER, a novel approach that aims to infer accurate and concise preconditions based on symbolic analysis. Specifically, PREINFER includes two novel techniques that prune irrelevant predicates in path conditions collected from failing tests, and that generalize predicates involving collection elements (i.e., array elements) to infer desirable quantified preconditions. Our evaluation on two benchmark suites and two real-world open-source projects shows PREINFER's high effectiveness on precondition inference and its superiority over related approaches.
【Keywords】: precondition inference; dynamic symbolic execution; symbolic analysis; path conditions
【Paper Link】 【Pages】:690-701
【Authors】: Zhenyu Ning ; Fengwei Zhang
【Abstract】: The scale of Android applications in the market is growing rapidly. To efficiently detect the malicious behavior in these applications, an array of static analysis tools are proposed. However, static analysis tools suffer from code hiding techniques like packing, dynamic loading, self modifying, and reflection. In this paper, we thus present DexLego, a novel system that performs a reassembleable bytecode extraction for aiding static analysis tools to reveal the malicious behavior of Android applications. DexLego leverages just-in-time collection to extract data and bytecode from an application at runtime, and reassembles them to a new Dalvik Executable (DEX) file offline. The experiments on DroidBench and real-world applications show that DexLego precisely reconstructs the behavior of an application in the reassembled DEX file, and significantly improves analysis result of the existing static analysis systems.
【Keywords】: Android; application analysis; static analysis; dynamic analysis; unpacking; self modifying code