31st IEEE Symposium on Security and Privacy, S&P 2010, 16-19 May 2010, Berleley/Oakland, California, USA. IEEE Computer Society 【DBLP Link】
【Paper Link】 【Pages】:3-13
【Authors】: Peter G. Neumann ; Matt Bishop ; Sean Peisert ; Marv Schaefer
【Abstract】: This article is a retrospective of concepts and people who have contributed significantly to the IEEE Symposium on Security and Privacy over the past 30 years. The authors identify many individuals who have contributed to SSP as program chairs, general chairs, and heads of the overseeing IEEE technical committee. They recognize SSP participants who have provided significant leadership in creating and funding opportunities for research and development in security and privacy. Some contributions to advances in security are also discussed in following articles by Carl Landwehr and Douglas Maughan, both of whom have been major instigators of R&D programs at multiple US government agencies. The authors also highlight some influential SSP papers from three decades, and also efforts that have had significant impact in providing or stimulating effective technology transfer, as well as authors and educators whose work provided major contributions to academic curricula, all helping instill trustworthiness into computercommunication security. Finally, they identify some of the anniversary event honorees.
【Keywords】: Cryptography; Hardware; History; Intrusion detection; Kernel; Privacy; Protocols; 30th Anniversary Retrospective; Privacy; Security
【Paper Link】 【Pages】:14-20
【Authors】: Carl E. Landwehr
【Abstract】: This paper traces the history of cyber security research funding by the U.S. government. Difficulties in accurately measuring the level of U.S. government research funding for cyber security are first described. Some of the legislative and bureaucratic mechanisms involved in funding and reporting such research today are reviewed. A qualitative, personal perspective on the ups and downs of US cyber security research funding from the late 1960s to 2010 is then provided. The essay is written for the thirtieth anniversary meeting of the IEEE Symposium on Security and Privacy, held in May 2010.
【Keywords】: Computer security; Educational institutions; History; Information security; Investments; Meetings; Privacy; US Government; USA Councils; Uninterruptible power systems; CSIA; HPC; NCO; NITRD; computer security; cybersecurity research; information assurance; information security; research funding
【Paper Link】 【Pages】:21-26
【Authors】: W. Douglas Maughan
【Abstract】: Many researchers with innovative ideas just never seem to be able to bring those ideas to market. One of the biggest problems with the cyber security research community is transitioning technology into commercial product. This paper discusses these technology transition activities from the view of a program manager and offers several examples of successful transition for consideration.
【Keywords】: Business; Companies; Computer security; Government; Privacy; Prototypes; Research and development; Technology management; Testing; USA Councils; cybersecurity; development; open source; research; small business; technology transition
【Paper Link】 【Pages】:29-44
【Authors】: Clemens Kolbitsch ; Thorsten Holz ; Christopher Kruegel ; Engin Kirda
【Abstract】: Unfortunately, malicious software is still an unsolved problem and a major threat on the Internet. An important component in the fight against malicious software is the analysis of malware samples: Only if an analyst understands the behavior of a given sample, she can design appropriate countermeasures. Manual approaches are frequently used to analyze certain key algorithms, such as downloading of encoded updates, or generating new DNS domains for command and control purposes. In this paper, we present a novel approach to automatically extract, from a given binary executable, the algorithm related to a certain activity of the sample. We isolate and extract these instructions and generate a so-called gadget, i.e., a stand-alone component that encapsulates a specific behavior. We make sure that a gadget can autonomously perform a specific task by including all relevant code and data into the gadget such that it can be executed in a self-contained fashion. Gadgets are useful entities in analyzing malicious software: In particular, they are valuable for practitioners, as understanding a certain activity that is embedded in a binary sample (e.g., the update function) is still largely a manual and complex task. Our evaluation with several real-world samples demonstrates that our approach is versatile and useful in practice.
【Keywords】: Algorithm design and analysis; Command and control systems; Communication system control; Data mining; Electronic mail; Embedded software; Internet; Privacy; Security; USA Councils
【Paper Link】 【Pages】:45-60
【Authors】: Matt Fredrikson ; Somesh Jha ; Mihai Christodorescu ; Reiner Sailer ; Xifeng Yan
【Abstract】: Fueled by an emerging underground economy, malware authors are exploiting vulnerabilities at an alarming rate. To make matters worse, obfuscation tools are commonly available, and much of the malware is open source, leading to a huge number of variants. Behavior-based detection techniques are a promising solution to this growing problem. However, these detectors require precise specifications of malicious behavior that do not result in an excessive number of false alarms. In this paper, we present an automatic technique for extracting optimally discriminative specifications, which uniquely identify a class of programs. Such a discriminative specification can be used by a behavior-based malware detector. Our technique, based on graph mining and concept analysis, scales to large classes of programs due to probabilistic sampling of the specification space. Our implementation, called Holmes, can synthesize discriminative specifications that accurately distinguish between programs, sustaining an 86% detection rate on new, unknown malware, with 0 false positives, in contrast with 55% for commercial signature-based antivirus (AV) and 62-64% for behavior-based AV (commercial or research).
【Keywords】: Art; Computer hacking; Computer science; Computer security; Credit cards; Detectors; Humans; Internet; Privacy; Sampling methods; Malware; Probabilistic Optimization; Software Security; Specification
【Paper Link】 【Pages】:61-76
【Authors】: Paolo Milani Comparetti ; Guido Salvaneschi ; Engin Kirda ; Clemens Kolbitsch ; Christopher Kruegel ; Stefano Zanero
【Abstract】: To handle the growing flood of malware, security vendors and analysts rely on tools that automatically identify and analyze malicious code. Current systems for automated malware analysis typically follow a dynamic approach, executing an unknown program in a controlled environment (sandbox) and recording its runtime behavior. Since dynamic analysis platforms directly run malicious code, they are resilient to popular malware defense techniques such as packing and code obfuscation. Unfortunately, in many cases, only a small subset of all possible malicious behaviors is observed within the short time frame that a malware sample is executed. To mitigate this issue, previous work introduced techniques such as multi-path or forced execution to increase the coverage of dynamic malware analysis. Unfortunately, using these techniques is potentially expensive, as the number of paths that require analysis can grow exponentially. In this paper, we propose Reanimator, a novel solution to determine the capabilities (malicious functionality) of malware programs. Our solution is based on the insight that we can leverage behavior observed while dynamically executing a specific malware sample to identify similar functionality in other programs. More precisely, when we observe malicious actions during dynamic analysis, we automatically extract and model the parts of the malware binary that are responsible for this behavior. We then leverage these models to check whether similar code is present in other samples. This allows us to statically identify dormant functionality (functionality that is not observed during dynamic analysis) in malicious programs. We evaluate our approach on thousands of real-world malware samples, and we show that our system is successful in identifying additional, malicious functionality. As a result, our approach can significantly improve the coverage of malware analysis results.
【Keywords】: Assembly; Computational modeling; Computer architecture; Digital signal processing; Digital signal processing chips; Educational institutions; Large scale integration; Logic; Registers; Telecommunication control; binary analysis; dormant functionality; malware analysis
【Paper Link】 【Pages】:79-92
【Authors】: Sardaouna Hamadou ; Vladimiro Sassone ; Catuscia Palamidessi
【Abstract】: Belief and vulnerability have been proposed recently to quantify information flow in security systems. Both concepts stand as alternatives to the traditional approaches founded on Shannon entropy and mutual information, which were shown to provide inadequate security guarantees. In this paper we unify the two concepts in one model so as to cope with (potentially inaccurate) attackers' extra knowledge. To this end we propose a new metric based on vulnerability that takes into account the adversary's beliefs.
【Keywords】: Assembly; Computational modeling; Computer architecture; Digital signal processing; Digital signal processing chips; Educational institutions; Large scale integration; Logic; Registers; Telecommunication control; Security; accuracy; belief; data confidentiality; information flow; information hiding; quantitative and probabilistic models; uncertainty; vulnerability
【Paper Link】 【Pages】:93-108
【Authors】: Bruno P. S. Rocha ; Sruthi Bandhakavi ; Jerry den Hartog ; William H. Winsborough ; Sandro Etalle
【Abstract】: Simple non-interference is too restrictive for specifying and enforcing information flow policies in most programs. Exceptions to non-interference are provided using declassification policies. Several approaches for enforcing declassification have been proposed in the literature. In most of these approaches, the declassification policies are embedded in the program itself or heavily tied to the variables in the program being analyzed, thereby providing little separation between the code and the policy. Consequently, the previous approaches essentially require that the code be trusted, since to trust that the correct policy is being enforced, we need to trust the source code. In this paper, we propose a novel framework in which declassification policies are related to the source code being analyzed via its I/O channels. The framework supports many of the of declassification policies identified in the literature. Based on flow-based static analysis, it represents a first step towards a new approach that can be applied to untrusted and legacy source code to automatically verify that the analyzed program complies with the specified declassification policies. The analysis works by constructing a conservative approximation of expressions over input channel values that could be output by the program, and by determining whether all such expressions satisfy the declassification requirements stated in the policy. We introduce a representation of such expressions that resembles tree automata. We prove that if a program is considered safe according to our analysis then it satisfies a property we call Policy Controlled Release, which formalizes information-flow correctness according to our notion of declassification policy. We demonstrate, through examples, that our approach works for several interesting and useful declassification policies, including one involving declassification of the average of several confidential values.
【Keywords】: Assembly; Computational modeling; Computer architecture; Digital signal processing; Digital signal processing chips; Educational institutions; Large scale integration; Logic; Registers; Telecommunication control
【Paper Link】 【Pages】:109-124
【Authors】: Dominique Devriese ; Frank Piessens
【Abstract】: A program is defined to be noninterferent if its outputs cannot be influenced by inputs at a higher security level than their own. Various researchers have demonstrated how this property (or closely related properties) can be achieved through information flow analysis, using either a static analysis (with a type system or otherwise), or using a dynamic monitoring system. We propose an alternative approach, based on a technique we call secure multi-execution. The main idea is to execute a program multiple times, once for each security level, using special rules for I/O operations. Outputs are only produced in the execution linked to their security level. Inputs are replaced by default inputs except in executions linked to their security level or higher. Input side effects are supported by making higher-security-level executions reuse inputs obtained in lower-security-level threads. We show that this approach is interesting from both a theoretical and practical viewpoint. Theoretically, we prove for a simple deterministic language with I/O operations, that this approach guarantees complete soundness (even for the timing and termination covert channels), as well as good precision (identical I/O for terminating runs of termination-sensitively noninterferent programs). On the practical side, we present an experiment implementing secure multi-execution in the mainstream Spidermonkey Javascript engine, exploiting parallelism on a current multi-core computer. Benchmark results of execution time and memory for the Google Chrome v8 Benchmark suite show that the approach is practical for a mainstream browser setting. Certain programs are even executed faster under secure multi-execution than under the standard execution. We discuss challenges and propose possible solutions for implementing the technique in a real browser, in particular handling the DOM tree and browser callback functions. Finally, we discuss how secure multi-execution can be extended to handle language featur- s like exceptions, concurrency or nondeterminism.
【Keywords】: Assembly; Computational modeling; Computer architecture; Digital signal processing; Digital signal processing chips; Educational institutions; Large scale integration; Logic; Registers; Telecommunication control; Information Flow; Noninterference; Secure Multi-Execution
【Paper Link】 【Pages】:125-140
【Authors】: Sergio Maffeis ; John C. Mitchell ; Ankur Taly
【Abstract】: A growing number of current web sites combine active content (applications) from untrusted sources, as in so-called mashups. The object-capability model provides an appealing approach for isolating untrusted content: if separate applications are provided disjoint capabilities, a sound object-capability framework should prevent untrusted applications from interfering with each other, without preventing interaction with the user or the hosting page. In developing language-based foundations for isolation proofs based on object-capability concepts, we identify a more general notion of authority safety that also implies resource isolation. After proving that capability safety implies authority safety, we show the applicability of our framework for a specific class of mashups. In addition to proving that a JavaScript subset based on Google Caja is capability safe, we prove that a more expressive subset of JavaScript is authority safe, even though it is not based on the object-capability model.
【Keywords】: Assembly; Computational modeling; Computer architecture; Digital signal processing; Digital signal processing chips; Educational institutions; Large scale integration; Logic; Registers; Telecommunication control; Capabilities; JavaScript; Language-based Security; Operational Semantics
【Paper Link】 【Pages】:143-158
【Authors】: Jonathan M. McCune ; Yanlin Li ; Ning Qu ; Zongwei Zhou ; Anupam Datta ; Virgil D. Gligor ; Adrian Perrig
【Abstract】: An important security challenge is to protect the execution of security-sensitive code on legacy systems from malware that may infect the OS, applications, or system devices. Prior work experienced a tradeoff between the level of security achieved and efficiency. In this work, we leverage the features of modern processors from AMD and Intel to overcome the tradeoff to simultaneously achieve a high level of security and high performance. We present TrustVisor, a special-purpose hypervisor that provides code integrity as well as data integrity and secrecy for selected portions of an application. TrustVisor achieves a high level of security, first because it can protect sensitive code at a very fine granularity, and second because it has a very small code base (only around 6K lines of code) that makes verification feasible. TrustVisor can also attest the existence of isolated execution to an external entity. We have implemented TrustVisor to protect security-sensitive code blocks while imposing less than 7% overhead on the legacy OS and its applications in the common case.
【Keywords】: Algorithm design and analysis; Arm; Circuit testing; Computer security; Costs; Hardware; Logic; Privacy; Process design; Runtime; Attestation; Integrity Measurement; Minimal TCB; TPM; Trusted Computing; Virtualization
【Paper Link】 【Pages】:159-172
【Authors】: Matthew Hicks ; Murph Finnicum ; Samuel T. King ; Milo M. K. Martin ; Jonathan M. Smith
【Abstract】: The computer systems security arms race between attackers and defenders has largely taken place in the domain of software systems, but as hardware complexity and design processes have evolved, novel and potent hardware-based security threats are now possible. This paper presents a hybrid hardware/software approach to defending against malicious hardware. We propose BlueChip, a defensive strategy that has both a design-time component and a runtime component. During the design verification phase, BlueChip invokes a new technique, unused circuit identification (UCI), to identify suspicious circuitry—those circuits not used or otherwise activated by any of the design verification tests. BlueChip removes the suspicious circuitry and replaces it with exception generation hardware. The exception handler software is responsible for providing forward progress by emulating the effect of the exception generating instruction in software, effectively providing a detour around suspicious hardware. In our experiments, BlueChip is able to prevent all hardware attacks we evaluate while incurring a small runtime overhead.
【Keywords】: Algorithm design and analysis; Arm; Circuit testing; Computer security; Costs; Hardware; Logic; Privacy; Process design; Runtime
【Paper Link】 【Pages】:173-188
【Authors】: Adam Waksman ; Simha Sethumadhavan
【Abstract】: Most security mechanisms proposed to date unquestioningly place trust in microprocessor hardware. This trust, however, is misplaced and dangerous because microprocessors are vulnerable to insider attacks that can catastrophically compromise security, integrity and privacy of computer systems. In this paper, we describe several methods to strengthen the fundamental assumption about trust in microprocessors. By employing practical, lightweight attack detectors within a microprocessor, we show that it is possible to protect against malicious logic embedded in microprocessor hardware. We propose and evaluate two area-efficient hardware methods - TrustNet and DataWatch - that detect attacks on microprocessor hardware by knowledgeable, malicious insiders. Our mechanisms leverage the fact that multiple components within a microprocessor (e.g., fetch, decode pipeline stage etc.) must necessarily coordinate and communicate to execute even simple instructions, and that any attack on a microprocessor must cause erroneous communications between micro architectural subcomponents used to build a processor. A key aspect of our solution is that TrustNet and DataWatch are themselves highly resilient to corruption. We demonstrate that under realistic assumptions, our solutions can protect pipelines and on-chip cache hierarchies at negligible area cost and with no performance impact. Combining TrustNet and DataWatch with prior work on fault detection has the potential to provide complete coverage against a large class of microprocessor attacks.
【Keywords】: Computer security; Costs; Decoding; Fault detection; Hardware; Logic; Microprocessors; Pipelines; Privacy; Protection; backdoors; hardware security; microprocessors
【Paper Link】 【Pages】:191-206
【Authors】: Shuo Chen ; Rui Wang ; XiaoFeng Wang ; Kehuan Zhang
【Abstract】: With software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is split into browser-side and server-side components. A subset of the application’s internal information flows are inevitably exposed on the network. We show that despite encryption, such a side-channel information leak is a realistic and serious threat to user privacy. Specifically, we found that surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search: an eavesdropper can infer the illnesses/medications/surgeries of the user, her family income and investment secrets, despite HTTPS protection; a stranger on the street can glean enterprise employees' web search queries, despite WPA/WPA2 Wi-Fi encryption. More importantly, the root causes of the problem are some fundamental characteristics of web applications: stateful communication, low entropy input for better interaction, and significant traffic distinctions. As a result, the scope of the problem seems industry-wide. We further present a concrete analysis to demonstrate the challenges of mitigating such a threat, which points to the necessity of a disciplined engineering practice for side-channel mitigations in future web application developments.
【Keywords】: Algorithm design and analysis; Arm; Circuit testing; Computer security; Costs; Hardware; Logic; Privacy; Process design; Runtime; Software-as-a-Service (SaaS); ambiguity set; encrypted traffic; padding; side-channel-leak; web application
【Paper Link】 【Pages】:207-222
【Authors】: Zhiyun Qian ; Zhuoqing Morley Mao ; Yinglian Xie ; Fang Yu
【Abstract】: Spam is increasingly accepted as a problem associated with compromised hosts or email accounts. This problem not only makes the tracking of spam sources difficult but also enables a massive amount of illegitimate or unwanted emails to be disseminated quickly. Various attempts have been made to analyze, backtrack, detect, and prevent spam using both network as well as content characteristics. However, relatively less attention has been given to understanding how spammers actually carry out their spamming activities from a network angle. Spammers’ network behavior has significant impact on spammers’ common goal, sending spam in a stealthy and efficient manner. Our work thoroughly investigates a fairly unknown spamming technique we name as triangular spamming that exploits routing irregularities of spoofed IP packets. It is highly stealthy and efficient in that triangular spamming enables 1) exploiting bandwidth diversity of botnet hosts to carry out spam campaigns effectively without divulging precious high-bandwidth hosts and 2) bypassing the current SMTP traffic blocking policies. Despite its relative obscurity, its use has been confirmed by the network operator community. Through carefully devised probing techniques and actual deployment of triangular spamming on Planetlab (a wide-area distributed testbed), we investigate the feasibility, impact of triangular spamming and propose practical detection and prevention methods. From our probing experiments, we found that 97% of the networks which block outbound SMTP traffic are vulnerable to triangular spamming and only 44% of them are listed on Spamhaus Policy Blocking List (PBL).
【Keywords】: Bandwidth; Electronic mail; Filtering; Network servers; Privacy; Relays; Routing; Security; Silicon; Telecommunication traffic
【Paper Link】 【Pages】:223-238
【Authors】: Gilbert Wondracek ; Thorsten Holz ; Engin Kirda ; Christopher Kruegel
【Abstract】: Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates and have millions of registered users. In this paper, we introduce a novel de-anonymization attack that exploits group membership information that is available on social networking sites. More precisely, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is sufficient to uniquely identify this person, or, at least, to significantly reduce the set of possible candidates. That is, rather than tracking a user's browser as with cookies, it is possible to track a person. To determine the group membership of a user, we leverage well-known web browser history stealing attacks. Thus, whenever a social network user visits a malicious website, this website can launch our de-anonymization attack and learn the identity of its visitors. The implications of our attack are manifold, since it requires a low effort and has the potential to affect millions of social networking users. We perform both a theoretical analysis and empirical measurements to demonstrate the feasibility of our attack against Xing, a medium-sized social network with more than eight million members that is mainly used for business relationships. Furthermore, we explored other, larger social networks and performed experiments that suggest that users of Facebook and LinkedIn are equally vulnerable.
【Keywords】:
【Paper Link】 【Pages】:239-254
【Authors】: Margarita Osadchy ; Benny Pinkas ; Ayman Jarrous ; Boaz Moskovich
【Abstract】: We introduce SCiFI, a system for Secure Computation of Face Identification. The system performs face identification which compares faces of subjects with a database of registered faces. The identification is done in a secure way which protects both the privacy of the subjects and the confidentiality of the database. A specific application of SCiFI is reducing the privacy impact of camera based surveillance. In that scenario, SCiFI would be used in a setting which contains a server which has a set of faces of suspects, and client machines which might be cameras acquiring images in public places. The system runs a secure computation of a face recognition algorithm, which identifies if an image acquired by a client matches one of the suspects, but otherwise reveals no information to neither of the parties. Our work includes multiple contributions in different areas: A new face identification algorithm which is unique in having been specifically designed for usage in secure computation. Nonetheless, the algorithm has face recognition performance comparable to that of state of the art algorithms. We ran experiments which show the algorithm to be robust to different viewing conditions, such as illumination, occlusions, and changes in appearance (like wearing glasses). A secure protocol for computing the new face recognition algorithm. In addition, since our goal is to run an actual system, considerable effort was made to optimize the protocol and minimize its online latency. A system - SCiFI, which implements a secure computation of the face identification protocol. Experiments which show that the entire system can run in near real-time: The secure computation protocol performs a preprocessing of all public-key cryptographic operations. Its online performance therefore mainly depends on the speed of data communication, and our experiments show it to be extremely efficient.
【Keywords】: Algorithm design and analysis; Cameras; Cryptographic protocols; Data privacy; Face recognition; Image databases; Protection; Radio access networks; Robustness; Surveillance; Secure computation; face recognition; privacy
【Paper Link】 【Pages】:257-272
【Authors】: Haowen Chan ; Adrian Perrig
【Abstract】: We consider resource-constrained broadcast authentication for $n$ receivers in a static, known network topology. There are only two known broadcast authentication protocols that do not use asymmetric cryptography, one-time signatures, multi-receiver MACs, or time synchronization [1], [2]. Both these protocols require three passes of a message front traversing the network. We investigate whether this amount of interaction can be improved efficiently for specific common topology classes, namely, linear topologies, tree topologies and fully connected topologies. We show modifications to the protocols allowing them to complete in just two passes in the linear and fully connected cases with a small constant factor increase in per-node communication overhead, and a further optimization that achieves the equivalent of just a single pass in the linear case with $O(log n)$ increase in per-node communication overhead. We also prove new lower bounds for round complexity, or the maximum number of consecutive interactions in a protocol. We show that protocols with efficient per-node communication overhead (polylogarithmic in $n$) must require at least $2log n$ rounds in any topology; this implies that our two-pass protocol in the fully-connected topology requires the fewest possible passes, and this bound is asymptotically tight for the full-duplex communication model. Furthermore, we show that communication-efficient protocols must take asymptotically more than $2log n$ rounds on trees; this implies that that there are some tree topologies for which two passes do not suffice and the existing three-pass algorithms may be optimal.
【Keywords】: Authentication; Broadcasting; Computer networks; Computer security; Cryptographic protocols; Cryptography; Network topology; Optimization methods; Privacy; USA Councils; Broadcast Authentication; Fully Connected Topology; Linear Topology; Multicast Authentication; Path Topology
【Paper Link】 【Pages】:273-285
【Authors】: Allison B. Lewko ; Amit Sahai ; Brent Waters
【Abstract】: In this work, we design a method for creating public key broadcast encryption systems. Our main technical innovation is based on a new "two equation" technique for revoking users. This technique results in two key contributions: First, our new scheme has ciphertext size overhead $O(r)$, where $r$ is the number of revoked users, and the size of public and private keys is only a emph{constant} number of group elements from an elliptic-curve group of prime order. In addition, the public key allows us to encrypt to an unbounded number of users. Our system is the first to achieve such parameters. We give two versions of our scheme: a simpler version which we prove to be selectively secure in the standard model under a new, but non-interactive assumption, and another version that employs the new dual system encryption technique of Waters to obtain adaptive security under the d-BDH and decisional Linear assumptions. Second, we show that our techniques can be used to realize Attribute-Based Encryption (ABE) systems with non-monotonic access formulas, where our key storage is significantly more efficient than previous solutions. This result is also proven selectively secure in the standard model under our new non-interactive assumption.
【Keywords】: Design methodology; Elliptic curve cryptography; Equations; Privacy; Public key; Public key cryptography; Satellite broadcasting; Security; Technological innovation; Wireless sensor networks
【Paper Link】 【Pages】:286-301
【Authors】: Yao Liu ; Peng Ning ; Huaiyu Dai
【Abstract】: To address the increasing demand for wireless bandwidth, cognitive radio networks (CRNs) have been proposed to increase the efficiency of channel utilization; they enable the sharing of channels among secondary (unlicensed) and primary (licensed) users on a non-interference basis. A secondary user in a CRN should constantly monitor for the presence of a primary user's signal to avoid interfering with the primary user. However, to gain unfair share of radio channels, an attacker (e.g., a selfish secondary user) may mimic a primary user's signal to evict other secondary users. Therefore, a secure primary user detection method that can distinguish a primary user's signal from an attacker's signal is needed. A unique challenge in addressing this problem is that Federal Communications Commission (FCC) prohibits any modification to primary users. Consequently, existing cryptographic techniques cannot be used directly. In this paper, we develop a novel approach for authenticating primary users' signals in CRNs, which conforms to FCC's requirement. Our approach integrates cryptographic signatures and wireless link signatures (derived from physical radio channel characteristics) to enable primary user detection in the presence of attackers. Essential to our approach is a {em helper node} placed physically close to a primary user. The helper node serves as a "bridge" to enable a secondary user to verify cryptographic signatures carried by the helper node's signals and then obtain the helper node's authentic link signatures to verify the primary user's signals. A key contribution in our paper is a novel physical layer authentication technique that enables the helper node to authenticate signals from its associated primary user. Unlike previous techniques for link signatures, our approach explores the geographical proximity of the helper node to the primary user, and thus does not require any training process.
【Keywords】: Bandwidth; Cognitive radio; Computer security; Computer vision; Cryptography; FCC; Monitoring; Signal processing; Software radio; TV; cognitive radio networks; link signatures; primary user detection
【Paper Link】 【Pages】:305-316
【Authors】: Robin Sommer ; Vern Paxson
【Abstract】: In network intrusion detection research, one popular strategy for finding attacks is monitoring a network's activity for anomalies: deviations from profiles of normality previously learned from benign traffic, typically identified using tools borrowed from the machine learning community. However, despite extensive academic research one finds a striking gap in terms of actual deployments of such systems: compared with other intrusion detection approaches, machine learning is rarely employed in operational "real world" settings. We examine the differences between the network intrusion detection problem and other areas where machine learning regularly finds much more success. Our main claim is that the task of finding attacks is fundamentally different from these other applications, making it significantly harder for the intrusion detection community to employ machine learning effectively. We support this claim by identifying challenges particular to network intrusion detection, and provide a set of guidelines meant to strengthen future research on anomaly detection.
【Keywords】: Computer science; Computer security; Computerized monitoring; Guidelines; Intrusion detection; Laboratories; Machine learning; National security; Privacy; Telecommunication traffic; anomaly detection; intrusion detection; machine learning; network security
【Paper Link】 【Pages】:317-331
【Authors】: Edward J. Schwartz ; Thanassis Avgerinos ; David Brumley
【Abstract】: Dynamic taint analysis and forward symbolic execution are quickly becoming staple techniques in security analyses. Example applications of dynamic taint analysis and forward symbolic execution include malware analysis, input filter generation, test case generation, and vulnerability discovery. Despite the widespread usage of these two techniques, there has been little effort to formally define the algorithms and summarize the critical issues that arise when these techniques are used in typical security contexts. The contributions of this paper are two-fold. First, we precisely describe the algorithms for dynamic taint analysis and forward symbolic execution as extensions to the run-time semantics of a general language. Second, we highlight important implementation choices, common pitfalls, and considerations when using these techniques in a security context.
【Keywords】: Computerized monitoring; Filters; Heuristic algorithms; Information analysis; Information security; Performance analysis; Privacy; Reactive power; Runtime; Testing; dynamic analysis; symbolic execution; taint analysis
【Paper Link】 【Pages】:332-345
【Authors】: Jason Bau ; Elie Bursztein ; Divij Gupta ; John C. Mitchell
【Abstract】: Black-box web application vulnerability scanners are automated tools that probe web applications for security vulnerabilities. In order to assess the current state of the art, we obtained access to eight leading tools and carried out a study of: (i) the class of vulnerabilities tested by these scanners, (ii) their effectiveness against target vulnerabilities, and (iii) the relevance of the target vulnerabilities to vulnerabilities found in the wild. To conduct our study we used a custom web application vulnerable to known and projected vulnerabilities, and previous versions of widely used web applications containing known vulnerabilities. Our results show the promise and effectiveness of automated tools, as a group, and also some limitations. In particular, "stored" forms of Cross Site Scripting (XSS) and SQL Injection (SQLI) vulnerabilities are not currently found by many tools. Because our goal is to assess the potential of future research, not to evaluate specific vendors, we do not report comparative data or make any recommendations about purchase of specific tools.
【Keywords】: Automatic testing; Code standards; Computer hacking; Credit cards; Data security; Decision support systems; Forgery; Personnel; Privacy; Probes
【Paper Link】 【Pages】:349-364
【Authors】: Deepak Garg ; Frank Pfenning
【Abstract】: We present the design and implementation of PCFS, a file system that adapts proof-carrying authorization to provide direct, rigorous, and efficient enforcement of dynamic access policies. The keystones of PCFS are a new authorization logic BL that supports policies whose consequences may change with both time and system state, and a rigorous enforcement mechanism that combines proof verification with conditional capabilities. We prove that our enforcement using capabilities is correct, and evaluate our design through performance measurements and a case study.
【Keywords】: Access control; Authorization; Computer security; Control systems; Delay; File systems; Logic design; Monitoring; Principal component analysis; Throughput; Access control; file system; logic; proof-carrying authorization
【Paper Link】 【Pages】:365-379
【Authors】: Jason Franklin ; Sagar Chaki ; Anupam Datta ; Arvind Seshadri
【Abstract】: The security of systems such as operating systems, hypervisors, and web browsers depend critically on reference monitors to correctly enforce their desired security policy in the presence of adversaries. Recent progress in developing reference monitors with small code size and narrow interfaces has made automated formal verification of reference monitors a more tractable goal. However, a significant remaining factor for the complexity of automated verification is the size of the data structures (e.g., access control matrices) over which the programs operate. This paper develops a parametric verification technique that scales even when reference monitors and adversaries operate over unbounded, but finite data structures. Specifically, we develop a parametric guarded command language for modeling reference monitors and adversaries. We also present a parametric temporal specification logic for expressing security policies that the monitor is expected to enforce. The central technical results of the paper are a set of small model theorems. These theorems state that in order to verify that a policy is enforced by a reference monitor with an arbitrarily large data structure, it is sufficient to model check the monitor with just one entry in its data structure. We apply our methodology to verify the designs of two hypervisors, SecVisor and the sHype mandatory-access-control extension to Xen. Our approach is able to prove that sHype and a variant of the original SecVisor design correctly enforces the expected security properties in the presence of powerful adversaries.
【Keywords】: Command languages; Data security; Data structures; Logic; Operating systems; Power system security; Scalability; System software; Virtual machine monitors; Virtual machining; SecVisor; hypervisor; model checking; parametric verification; reference monitor; security; small model theorem
【Paper Link】 【Pages】:380-395
【Authors】: Zhi Wang ; Xuxian Jiang
【Abstract】: Virtualization is being widely adopted in today’s computing systems. Its unique security advantages in isolating and introspecting commodity OSes as virtual machines (VMs) have enabled a wide spectrum of applications. However, a common, fundamental assumption is the presence of a trustworthy hypervisor. Unfortunately, the large code base of commodity hypervisors and recent successful hypervisor attacks (e.g., VM escape) seriously question the validity of this assumption. In this paper, we present HyperSafe, a lightweight approach that endows existing Type-I bare-metal hypervisors with a unique self-protection capability to provide lifetime control flow integrity. Specifically, we propose two key techniques. The first one, non-bypassable memory lockdown, reliably protects the hypervisor’s code and static data from being compromised even in the presence of exploitable memory corruption bugs (e.g., buffer overflows), therefore successfully providing hypervisor code integrity. The second one, restricted pointer indexing, introduces one layer of indirection to convert the control data into pointer indexes. These pointer indexes are restricted such that the corresponding call/return targets strictly follow the hypervisor control flow graph, hence expanding protection to control-flow integrity. We have built a prototype and used it to protect two open-source Type-I hypervisors: BitVisor and Xen. The experimental results with synthetic hypervisor exploits and benchmarking programs show HyperSafe can reliably enable the hypervisor self-protection and provide the integrity guarantee with a small performance overhead.
【Keywords】: Buffer overflow; Computer bugs; Indexing; Lighting control; Protection; Security; Virtual machine monitors; Virtual machining; Virtual manufacturing; Voice mail; Control-Flow Integrity; Hypervisor; Rootkits
【Paper Link】 【Pages】:399-413
【Authors】: Elie Bursztein ; Steven Bethard ; Celine Fabry ; John C. Mitchell ; Daniel Jurafsky
【Abstract】: Captchas are designed to be easy for humans but hard for machines. However, most recent research has focused only on making them hard for machines. In this paper, we present what is to the best of our knowledge the first large scale evaluation of captchas from the human perspective, with the goal of assessing how much friction captchas present to the average user. For the purpose of this study we have asked workers from Amazon’s Mechanical Turk and an underground captchabreaking service to solve more than 318 000 captchas issued from the 21 most popular captcha schemes (13 images schemes and 8 audio scheme). Analysis of the resulting data reveals that captchas are often difficult for humans, with audio captchas being particularly problematic. We also find some demographic trends indicating, for example, that non-native speakers of English are slower in general and less accurate on English-centric captcha schemes. Evidence from a week’s worth of eBay captchas (14,000,000 samples) suggests that the solving accuracies found in our study are close to real-world values, and that improving audio captchas should become a priority, as nearly 1% of all captchas are delivered as audio rather than images. Finally our study also reveals that it is more effective for an attacker to use Mechanical Turk to solve captchas than an underground service.
【Keywords】: Automatic testing; Demography; Friction; Humans; Large-scale systems; Mechanical variables measurement; Privacy; Security; Speech; Statistics; audio; captchas; humans; image; mechanical turk
【Paper Link】 【Pages】:414-429
【Authors】: Bryan Parno ; Jonathan M. McCune ; Adrian Perrig
【Abstract】: Trusting a computer for a security-sensitive task (such as checking email or banking online) requires the user to know something about the computer's state. We examine research on securely capturing a computer's state, and consider the utility of this information both for improving security on the local computer (e.g., to convince the user that her computer is not infected with malware) and for communicating a remote computer's state (e.g., to enable the user to check that a web server will adequately protect her data). Although the recent "Trusted Computing" initiative has drawn both positive and negative attention to this area, we consider the older and broader topic of bootstrapping trust in a computer. We cover issues ranging from the wide collection of secure hardware that can serve as a foundation for trust, to the usability issues that arise when trying to convey computer state information to humans. This approach unifies disparate research efforts and highlights opportunities for additional work that can guide real-world improvements in computer security.
【Keywords】: Banking; Cellular phones; Central Processing Unit; Computer security; Data security; Hardware; Humans; Information security; Privacy; Web server; Bootstrap; Code Identity; Secure Boot; TPM; Trust; Trusted Computing; Trusted Platform Module
【Paper Link】 【Pages】:433-446
【Authors】: Steven J. Murdoch ; Saar Drimer ; Ross J. Anderson ; Mike Bond
【Abstract】: EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. Known to bank customers as “Chip and PIN”, it is used in Europe; it is being introduced in Canada; and there is pressure from banks to introduce it in the USA too. EMV secures credit and debit card transactions by authenticating both the card and the customer presenting it through a combination of cryptographic authentication codes, digital signatures, and the entry of a PIN. In this paper we describe and demonstrate a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card’s PIN, and to remain undetected even when the merchant has an online connection to the banking network. The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the card that no PIN was entered at all. The paper considers how the flaws arose, why they remained unknown despite EMV’s wide deployment for the best part of a decade, and how they might be fixed. Because we have found and validated a practical attack against the core functionality of EMV, we conclude that the protocol is broken. This failure is significant in the field of protocol design, and also has important public policy implications, in light of growing reports of fraud on stolen EMV cards. Frequently, banks deny such fraud victims a refund, asserting that a card cannot be used without the correct PIN, and concluding that the customer must be grossly negligent or lying. Our attack can explain a number of these cases, and exposes the need for further research to bridge the gap between the theoretical and practical security of bank payment systems. It also demonstrates the need for the next version of EMV to be engineered properly.
【Keywords】: Authentication; Banking; Bridges; Cryptographic protocols; Cryptography; Digital signatures; Europe; Public policy; Security; Smart cards; Chip and PIN; EMV; authentication; bank security; card fraud; protocol failure; security economics
【Paper Link】 【Pages】:447-462
【Authors】: Karl Koscher ; Alexei Czeskis ; Franziska Roesner ; Shwetak Patel ; Tadayoshi Kohno ; Stephen Checkoway ; Damon McCoy ; Brian Kantor ; Danny Anderson ; Hovav Shacham ; Stefan Savage
【Abstract】: Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. In this paper we experimentally evaluate these issues on a modern automobile and demonstrate the fragility of the underlying system structure. We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver inputdash including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on. We find that it is possible to bypass rudimentary network security protections within the car, such as maliciously bridging between our car's two internal subnets. We also present composite attacks that leverage individual weaknesses, including an attack that embeds malicious code in a car's telematics unit and that will completely erase any evidence of its presence after a crash. Looking forward, we discuss the complex challenges in addressing these vulnerabilities while considering the existing automotive ecosystem.
【Keywords】: Automobiles; Automotive engineering; Computer networks; Computerized monitoring; Control systems; Pervasive computing; Roads; Safety; Security; Testing; Automobiles; communication standards; communication system security; computer security; data buses
【Paper Link】 【Pages】:463-478
【Authors】: Kapil Singh ; Alexander Moshchuk ; Helen J. Wang ; Wenke Lee
【Abstract】: Web browsers' access control policies have evolved piecemeal in an ad-hoc fashion with the introduction of new browser features. This has resulted in numerous incoherencies. In this paper, we analyze three major access control flaws in today's browsers: (1) principal labeling is different for different resources, raising problems when resources interplay, (2) runtime changes to principal identities are handled inconsistently, and (3)browsers mismanage resources belonging to the user principal. We show that such mishandling of principals leads to many access control incoherencies, presenting hurdles for web developers to construct secure web applications. A unique contribution of this paper is to identify the compatibility cost of removing these unsafe browser features. To do this, we have built WebAnalyzer, a crawler-based framework for measuring real-world usage of browser features, and used it to study the top 100,000 popular web sites ranked by Alexa. Our methodology and results serve as a guideline for browser designers to balance security and backward compatibility.
【Keywords】: Access control; Access protocols; Costs; Displays; Intrusion detection; Labeling; Navigation; Privacy; Runtime; Security
【Paper Link】 【Pages】:481-496
【Authors】: Leo A. Meyerovich ; V. Benjamin Livshits
【Abstract】: Much of the power of modern Web comes from the ability of a Web page to combine content and JavaScript code from disparate servers on the same page. While the ability to create such mash-ups is attractive for both the user and the developer because of extra functionality, code inclusion effectively opens the hosting site up for attacks and poor programming practices within every JavaScript library or API it chooses to use. In other words, expressiveness comes at the price of losing control. To regain the control, it is therefore valuable to provide means for the hosting page to restrict the behavior of the code that the page may include. This paper presents ConScript, a client-side advice implementation for security, built on top of Internet Explorer 8. ConScript allows the hosting page to express fine-grained application-specific security policies that are enforced at runtime. In addition to presenting 17 widely-ranging security and reliability policies that ConScript enables, we also show how policies can be generated automatically through static analysis of server-side code or runtime analysis of client-side code. We also present a type system that helps ensure correctness of ConScript policies. To show the practicality of ConScript in a range of settings, we compare the overhead of ConScript enforcement and conclude that it is significantly lower than that of other systems proposed in the literature, both on micro-benchmarks as well as large, widely-used applications such as MSN, GMail, Google Maps, and Live Desktop.
【Keywords】: Computer bugs; Functional programming; HTML; Internet; Java; Libraries; Privacy; Runtime; Security; Web pages; JavaScript; Web and client-side programming; aspects; browsers; language security; security policies
【Paper Link】 【Pages】:497-512
【Authors】: Tielei Wang ; Tao Wei ; Guofei Gu ; Wei Zou
【Abstract】: Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated malformed inputs are rejected in the early stage of program running, especially when target programs employ checksum mechanisms to verify the integrity of inputs. In this paper, we present TaintScope, an automatic fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has several novel contributions: 1) TaintScope is the first checksum-aware fuzzing tool to the best of our knowledge. It can identify checksum fields in input instances, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. 2) TaintScope is a directed fuzzing tool working at X86 binary level (on both Linux and Window). Based on fine-grained dynamic taint tracing, TaintScope identifies which bytes in a well-formed input are used in security-sensitive operations (e.g., invoking system/library calls) and then focuses on modifying such bytes. Thus, generated inputs are more likely to trigger potential vulnerabilities. 3) TaintScope is fully automatic, from detecting checksum, directed fuzzing, to repairing crashed samples. It can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing. TaintScope has already found 27 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Google Picasa, Microsoft Paint, and ImageMagick. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-200- - 9-2688). Corresponding patches from vendors are released or in progress based on our reports.
【Keywords】: Assembly; Computational modeling; Computer architecture; Digital signal processing; Digital signal processing chips; Large scale integration; Logic; Registers; Software tools; Telecommunication control; dynamic taint analysis; fuzzing; symbolic execution
【Paper Link】 【Pages】:513-528
【Authors】: Prateek Saxena ; Devdatta Akhawe ; Steve Hanna ; Feng Mao ; Stephen McCamant ; Dawn Song
【Abstract】: As AJAX applications gain popularity, client-side JavaScript code is becoming increasingly complex. However, few automated vulnerability analysis tools for JavaScript exist. In this paper, we describe the first system for exploring the execution space of JavaScript code using symbolic execution. To handle JavaScript code’s complex use of string operations, we design a new language of string constraints and implement a solver for it. We build an automatic end-to-end tool, Kudzu, and apply it to the problem of finding client-side code injection vulnerabilities. In experiments on 18 live web applications, Kudzu automatically discovers 2 previously unknown vulnerabilities and 9 more that were previously found only with a manually-constructed test suite.
【Keywords】: Assembly; Computational modeling; Computer architecture; Digital signal processing; Digital signal processing chips; Java; Large scale integration; Logic; Registers; Telecommunication control