19 thoughts on “IEEE Security and Privacy 2014

  1. Zhou Li gave the first talk at Oakland 2014 on Hunting the Red Fox Online about mass-redirect script injections. About 85% of machine infections by volume come from compromised websites as these scale best, and one modus operandi is to turn the website scripts into redirectors that send users to exploit servers. The scripts have obfuscated redirect code inserted into legitimate javascript, which is not indexed anyway (so Google Safe Browsing doesn’t help). They collected 300k+ bad scripts from sites indexed by Microsoft and a comparable corpus from Alexa top 1m sites. Many of the javascript libraries come from about four large suppliers and 82% of attackers simply appended bad code; 47% of good scripts were unchanged (and the changed ones had no redirects). Only 316 different payloads were found across 416K bad scripts. They wrote an analysis tool that checks scripts for redirects and uses longest-common-substring methods to generate high-quality signatures that currently work for 68% of them. Finally, they studied a P2P redirect network which funnelled users to exploit servers and where hosts remained exploited for 15 days on average.

    The second speaker was Sangho Lee on Stealing Webpages Rendered on Your Browser by Exploiting GPU Vulnerabilities. They have various kinds of uninitialised memory, unerasable memory and manually-managed memory which create interesting attack tools. GPUs queue kernel functions and execute them one at a time; an observer can work out which kernel was executed by another task from the time and memory it used, and then look for data leakage. Chrome and Firefox use GPUs to accelerate rendering; this leads to a simple attack in which you figure out which websites a user with whom you share a GPU is browsing by computing the Jaccard index between pixel sequence sets. He measured pixel sequence similarity across Alexa top 1000 websites. Inference accurancy was 50% for Chrome but only 22% for Firefox (whose dumps have a lot of non-texture data). As for mitigation, clearing local memories is often possible but costs about 80 uS.

    Yuan Tian was next with “All Your Screens Are Belong to Us”. Borwsers are used by both trusted and untrusted apps; yet html5 provides a Screen Sharing API that can enable a bad guy to scrape your screen if he can steal a security token. This is easy enough with tricks like almost transparent iframes; the browser vendors will have to remove some functionality! As well as information theft, there’s an integrity attack via cross-site request forgery, as the commonly used CSRF token can be stolen (for this see Barth, Jackson, Mitchell, CCS08). Confidentiality compromises include reading history through link colours and autocompletion of content, which can leak credit card numbers. Researchers and browser vendors need to think a bit harder about usable and secure screen sharing mechanisms.

    Omar Choudary’s talk was on Chip and Skim: Cloning EMV Cards with the Pre-Play Attack (declaration: I’m a coauthor). The Europay-Mastercard-Visa protocol (EMV) prevents transaction replays using an unpredictable number (UN) generated by the terminal and an application transaction counter (ATC) from the card. A dispute in Malta revealed a UN that was just a counter; this would allow attackers to record a transaction at terminal A for reuse later. It turned out that the test spec only required four consecutive UN values to be different. That’s being fixed, but a worse problem is that the UN is generated by the terminal rather than the bank, so it can be fixed up by a middleperson attack between the terminal and the bank, or by terminal malware. Terminal communications are left to implementers and there are many networks and protocols in use; MACs on each link from terminal to acquirer to switch to issuer are expensive. Even if authentication is eventually introduced, attacks can be done via malware, in the supply chain or by dishonest merchants. The best way to deal with attacks meanwhile is by checking transaction certificates in the event of dispute. Regrettably the TC is often not kept, as it’s not always needed for clearing. Regulators should prohibit liability shifting, make clear that the TC is the only probative evidence in a dispute, and shops selling high-value goods should have a means of checking the TC before the customer leaves with the diamond!

  2. Jinjin Liang started the second session with a talk on When HTTPS meets CDN. Https doesn’t always work well with content delivery networks, so they did experiments on five of them in November 2013. Two of them used http, two used https but didn’t validate the cert, and the last didn’t check the domain name (these are being fixed). CDNs allow customers to use self-signed certificates. DNS-based request routing is even more tricky as it’s obscure to the browsers. Some websites share their private keys with CDNs; a ore robust arrangement is for the website to buy a second cert / private key from its CA for CDN use. DANE might provide a way forward, as relevant certs could be embedded into it; they implemented this as a Firefox extension in order to test it.

    Lin-Shung Huang was next with Analyzing Forged SSL Certificates in the Wild, work done with Facebook on monitoring forged SSL certificates. They used an SSL handshake over Flash sockets to enable Facebook servers to check its own SSL cert from the client end (Facebook has now implemented similar mechanisms for mobile apps too). Four months of data sampled 9.2m connections, 3.4m certs, of which 0.2% were forgeries (mostly used by AV, corporate firewalls and content filters). They found various attacks, the most common using Verisign and Thawte branded fake certs that had been installed by the IopFailZeroAccessCreate malware on infected clients across 45 countries. Facebook now uses HSTS to clients can’t click through SSL failures. They found no rogue CAs.

    Antoice Delignat-Lavaud’s talk was on Triple Handshakes and Cookie Cutters. He’s been studying proposals to bind use authentication tokens to the underlying TLS handshake, and he’s found that a network attacker can truncate https contents and delete targeted cookies. The partial https messages were accepted by various browsers and stored as insecure cookies for later use. This attack is now fixed in Chromium, Android and Safari. An API attack of this kind comes via renogotiation, which could be tweaked to include information from a different context; in 2009, such attacks were fixed by ensuring that all handshakes on a connection are linked. Session truncation reopens this old wound. Chromium and Safari have fixed this, and IE has a fix pending. A long-term fix is a hash log of all protocol messages, which has been submitted to IETF. Scientifically, this amounts to a new flaw in TLS resumption, and the lesson that the TLS library is not the right unit of verification! You have to look at the associated protocol libraries too.

    Suman Jana was the morning’s last speaker, and his talk was on Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations. There are about half a dozen SSL implementations that test certificates, of which OpenSSL and GnuTLS account for most; they use 44 and 51 test certificates respectively for validation. How can we test certificate validation code better? Fuzzing doesn’t work as fuzzed strings don’t parse, symbolic analysis can’t cope with the complexity. His solution was recombinant: he put together 8 million “Frankencerts” from pieces of genuine certificates, for use as a test suite. He tested 14 different implementations and found 208 discrepancies due to 15 root causes, among which were some real vulnerabilities in GnuTLS and other fielded code. There are some interesting interactions: for example, if you pass Chrome an invalid cert that’s expired, only the fact that it’s expired is passed up to Chrome by the NSS library it uses. The lesson is that all cryptographers should implement Frankencerts with their test harnesses.

  3. Aaron Blankstein started the afternoon with Automating Isolation and Least Privilege in Web Services. Modern web app frameworks like Django and Ruby on Rails often have catastrophic bugs; Aaron has designed a new framework called Passe to harden web apps by isolating execution and data and enforcing a rich data policy. Views are isolated into separate processes which are isolated using AppArmor, and constraints are learned from testing. You develop a Django web app, then test it using a number of end-to-end test cases, then run it in the Passe runtime environment.

    Collin Mulliner was next with a talk on Hidden Gems, a systematic investigation of how GUIs and access control interact. A GUI element misuse (GEM) is where developers misuse GUI features for access control; these are often exploitable, and turn out to be fairly common where applications manage their own use access control rather than using O/S facilities. For example, unauthorised callback execution is where a button does a callback, and the developer assumed that when it was disabled it could not be used. Unauthorised information disclosure can happen when developers wrongly assume that hidden UI elements can’t be made visible. The author has a number of examples of spectacular bugs, and has created a tool for finding such vulnerabilities.

    Steve Kremer’s talk was on Automated Analysis of Security Protocols with Global State. Some APIs for hardware security modules assume shared state in the HSM, and the TPM stores state in registers; so making the same call to the crypto hardware twice can give different results. Existing tools like proVerif and Maude-NPA don’t support state; Statverify and Tamarin have started to add memory. This paper proposes SAPIC, Stateful Applied Pi Calculus, as a front end of Tamarin. They’ve a correctness proof and have applied it to a simplified PKCS11, Yubikey, and GJM contract signing.

    Ralf Sasse’s topic was Automated Verification of Group Key Agreement Protocols. There are lots of group key protocols using DH orpairing mechanisms; they’re notoriously tricky as they can have loops and mutable global state. Protocols with claimed pen-and-paper security proofs have still been broken. He’s been figuring out ways of using Tamarin, their group’s protocol verification tool, to deal with DH and pairing so it can tackle such protocols, and has done verifications of half a dozen protocols to prove its effectiveness. His tool is called Mimicus and is avalable online.

  4. Pavel Laskov started the last session on Monday with Practical Evasion of a Learning-Based Classifier: A Case Study. Many deployed security systems make intensive use of machine learning to classify everything from malware through card fraud to login patterns. Earlier work looked at the theory and practice of classifier evasion on the assumption that the attacker has direct access to the internal workings of the classifier. A more realistic threat model is that the attacker can test it, and can make educated guesses about the feature sets in use. General attacks include mimicry, where you merge feature values from a benign file into the malicious one, and gradient descent method which follows the gradient of the decision function and the density of benign examples. The paper reports experiments with Pdfrate, a tool for assessing pdf files for malware, and discusses the efficacy of assorted attacks and defences.

    Sadia Afroz was next up with Doppelgänger Finder: Taking Stylometry To The Underground. They studied four underground forums that had been leaked by anonymous people: Antichat, Blackhatworld, Carders and L33tCrew, the last two of which had significant user overlap. User writing style was analysed, which meant dealing with a variety of methodological and technical problems. This led to pairwise probabilities of association between authors. Carders had 221 users who wrote over 4,500 words, and most of them were high-ranked. She identified 10 pairs of previously undetected doppelgaengers, and then analysed what these shills were used for; the first was to create fake demand, the second to create fake accounts for sale. These were well-connected accounts that would have not been found with conventional sybil detection.There are other results in the paper, and a discussion of the practicalities of using stylometry as a forensic tool.

    Andrea Bittau’s talk, Hacking Blind, showed how in principle you can craft an exploit against an unknown system simply from being able to observe whether it crashes the server or not. From the first crash to a shell can take only minutes and thousands of attempts. It requires a stack vulnerability, and knowledge of how to trigger it, and a server process that respawns after a crash. He does blind return-oriented programming: he breaks ALSR by reading the stack by repeatedly overwriting it and seeing what changes stuff, then he uses similar tricks to find addresses he can call without crashing the system. These are gadgets of various types, in the ROP terminology; he just has to collect enough of them to hack the system. The details are a bit fiddly but are described in the paper. Eventually you find strcmp and the procedure linking table and you’re pretty well done. It’s basically like a game of battleships. They have built a tool, Braille, from 2000 lines of Ruby, to manage exploits. He ran a demo in 43 seconds to breakin, to loud applause.

    The last speaker of the day was Erik Bosman speaking on Framing Signals — A Return to Portable Shellcode. He has a new twist on return-oriented programming is to build a rich set of primitives for shellcode based on signal handling mechanisms. Just as ROP works with the stack, his sigreturn oriented programming (SROP) enables the attacker to build weird machines; the technology is Turing complete. They implemented the vulnerability (CVE-2012-5976) and while iOS is now randomised to prevent sigreturn attacks, Linux (including Android) and FreeBSD are still vulnerable. Mitigations are described in the paper, including canaries.

  5. James Mickens started Tuesday’s sessions with Pivot: Fast, Synchronous Mashup Isolation Using Generator Chains. Scripts in the same frame use the same javascript runtime, so scripts from different sources are hard to isolate from each other. James’ solution is Pivot, which places each library into an iframe, and uses minimal code rewriting to implement synchronous cross-domain interfaces atop the asynchronous cross-frame postMessage() primitive. It turns out he doesn’t need to rewrite everything, just the trusted core that calls the various libraries; empirically, these don’t make outcalls. As a result, pivot is 1-2 orders of magnitude faster than Jigsaw, which rewrites everything.

    Andrei Homescu was next on SoK: Automated Software Diversity. Address space layout randomisation makes attacks harder but is becoming vulnerable to modern attacks such as just-in-time code reuse and Andrea Bittau’s attack presented yesterday. How can we do diversity better? In this systematisation of knowledge paper, Andrei analyses approaches that randomise data as well as code; that use a range of transformations at different granularities; and that do diversification before or after distribution. He found that security evaluations are rather inconsistent and suggests that hybrid approaches combining pre- and post-distribution randomisation might be practical, along with reactive approaches such as booby traps.

    John Criswell’s KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels is aimed at providing full control-flow integrity for commodity operating systems without the costs of full memory safety. It does a number of things including tracking indirect branches by instrumenting all computed jumps, ensuring proper MMU configuration and exception handling, and controlling returns from system calls using software fault isolation. It inhibits the use of ROP gadgets and even has some formal proofs. Its overhead is about 2.5 times on FreeBSD compared with 5-10 times for full memory safety. His long-term goal is a fully verified version of a commodity operating system that’s fast enough to be usable.

    Zongwei Zhou concluded the first session with a talk on Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O. Software components tend to be either giants, with rich functionality but many vulnerabilities, and wimps which can be verified but don’t do much work. He provides on-demand isolated I/O to security sensitive applications on commodity platforms using a small and simple code base. Thus a banking app can pass data securely to a particular input or output device; it goes through a “wimpy kernel” that’s separated from the commodity O/S using a microhypervisor, which provides the verified separation. There are some interesting technical issues around how USB works; nonetheless the USB code in the wimpy kernel has two orders of magnitude then the comparable code in Linux.

  6. Shayak Sen won a best student paper award for his paper on Bootstrapping Privacy Compliance in Big Data Systems. How can a firm check that their millions of lines of undocumented code comply with their published privacy policy? At present this is done using audit meetings. Shayak’s contribution is “Legalease”, a high-level specification language for privacy champions to use, and “Grok”, a data inventory for mapreduce system with policy labels. Together they provide an automated workflow for privacy compliance. He tested it by getting a dozen Microsoft policy people to encode the Bing data usage policy; they took just under a quarter of an hour on average. Audit involves combining noisy sources from variable names through developer code annotations to manual actions by auditors. It’s now being used every day on Bing.

    Tomasz Truderung presented a Formal Analysis of Chaumian Mix Nets with Randomized Partial Checking. Mix-nets have now been around for over 30 years, and Tor is a deployed version. Nested encryption and re-encryption need different analysis tools. The spur for the work was Khazaei and Wikström’s 2013 attacks on RPC mix-nets; this led Tomasz to look for proofs for mix-nets with nested encryption. With one honest server and IND-CCA2 encryption he can show that an adversary can’t tell which of two texts a user sent. The levels of verifiability and privacy support their use in e-voting systems.

    Fernando Krell’s paper was on Blind Seer: A Scalable Private DBMS. An agency wants to make private queries of a company database without the company learning anything; the company wants to process only authorised queries; and the system has to be efficient so we can’t use homomorphic crypto. His approach is to have an index server for the database, and let agents submit requests via a query checker. There’s a hierarchy of Bloom filters for keywords, and garbled circuits for doing Boolean logic on partial results. Their system takes only fifteen times longer than vanilla MySQL.

    The morning’s last talk was from Steve Myers on “Anonize: A Large-Scale Anonymous Survey System”. His system supports multiple anonymous surveys and provides unlinkability; it uses zero-knowledge proofs to enable participants to prove they’re registered participants in a particular survey. In questions, he admitted he had not thought about coercion resistance.

  7. The first speaker in the Android session was Luyi Xing on Upgrading Your Android, Elevating My Malware. He presented the first systematic survey of mobile O/S updating, during which he discovered a new type of attack: an evil app requests a permission available only on the next Android version, which is therefore not displayed to the user in the installation dialogue, and then just waits for the phone to be upgraded. It can also take the package name of a future browser, and leave behind malicious javascript in the cache that appears to be from google.com and that will compromise that browser after it’s kicked out on upgrade. A further variant on this theme is shared UID grabbing. He calls these “pileup flaws”. Over 3000 customised versions of Android are all vulnerable to them, and Google Play accepted some test malware they wrote. Google released a patch to vendors in January (though it only works for upgrades to 4.4, and so someone with 4.1 would get attacked when they moved to 4.2 en route to 4.3 and 4.4); the author wrote a scanner app at http://www.secureandroidupdate.org which does things properly.

    Xiaoyong Zhou was next on The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations. Almost half of android customisation is about device drivers, whose writers are often not security experts. He developed a tool, ADDICTED, a device miner that tests phones and correlates their behaviour with low-level device operations. This enables him to look for weakened protections on customised phones compared with Nexus reference devices, and thus pick up likely customisation flaws. He also did a large-scale measurement study using static analysis of O/S images; upgrades tended to fix (slightly) more customisation flaws than they introduced.

    The last speaker of the session was Byoungyung Lee, on From Zygote to Morula: Fortifying Weakened ASLR on Android. Android started using ALSR from version 4.1 to prevent exploitation of native code in apps, using the zygote process which contains the Dalvik VM and the Android runtime, which is forked on app launch. Thus ALSR is the same across apps and local trojans can get the memory layout; there are remote attacks too. His proposed solution is to create a pool of diversified instances of a ‘morula’ process while the device is idle, and grab one whenever a process is created. Their implementation took only a few hundred lines of code. Zygote has caused other problems too, such as for OpenSSL’s PRNG states (see CCS13) and blind ROP (yesterday’s talk), so systematically removing the flaw is generally worthwhile, especially as it can be done without significant cost. In fact, only about 5% of the 2,541 Dalvik classes are actually used by apps, so loading the rest on demand significantly speeds up booting.

  8. The session on e-cash was started by Lukasz Mazurek with Secure Multiparty Computations on BitCoin, which won the overall best paper award. Their new idea is to integrate multiparty computations with bitcoin. Bitcoin deposits are used to obtain fairness in MPC, and bitcoin scripting is also used to force the parties to observe financial outcomes. Their goal was to create an online lottery without a trusted server. Components include a mechanism that lets a user commit to opening a commitment by time t or pay a penalty. Then established mechanisms of online coin-tossing based on commitments and hashes do the rest. One problem is that such “non-standard” transactions are accepted by only one mining pool (Eligius, 16% of miners). They have a followup paper on doing any two-party computation which appeared at Bitcoin 2014.

    Eran Tromer spoke next on Zerocash: Decentralized Anonymous Payments from Bitcoin. Bitcoin broadcasts all transactions and the transaction graph can be easily analysed; Zerocoin adds a decentralised mix service but the proofs are heavyweight; Pinocchiocoin fixes this but the coins have only one denomination. Zerocash runs on top of bitcoin and supports private, direct variable-denomination payments. Its public key is 896Mb; it uses pairing-based crypto and “zero knowledge succinct noninteractive arguments of knowledge”. The main transaction type is “pour” which inputs old coins and outputs new ones for a set of destinations, plus a proof, which is the only thing published in the ledger.

    The last talk in the session was from Andrew Miller on PermaCoin. Their idea is to repurpose Bitcoin so that instead of burning their money on finding hash collisions, miners store data that we want to archive, preferably in a highly distributed and redundant way. The key idea is to replace the puzzle with a proof of retrievability. Each miner’s public key selects a set of blocks to store; each hash selects a subset, on which you compute a second hash, and check if you won this round. The only way to win is to store at least most of the blocks you’re supposed to. To prevent people outsourcing storage to Amazon, the puzzle has a bins-and-balls signature step where you prove knowledge of the secret key you use to claim the reward; you might not want to give Amazon that key! Given the size of bitcoin participation you could store 200+ Tb.

  9. The short talks session was a dozen presentations at five minutes each.

    First was Sebastian Josse on Malware Dynamic Recompilation: his tool VxStripper which removes the loader from a malware binary and deobfuscates the code. He is Sebastian.Josse@polytechnique.edu

    Anoop Singhal talked on using date from security events for attack analysis. He has a system that assembles them into evidence graphs. See http://arguslab.org/mulval.html

    His second talk was on behalf of Srini Srinivasan who couldn’t make it but who has written a book on trust in cloud computing.

    Nick Sullivan is interested in TLS handshake proxying. Servers read keys from disk and use them in memory where they can be stolen, as by Heartbleed; and the world is moving to CDNs which exacerbate the contradictory goals of load balancing and private key security. At Cloudflare he has developed and fielded a mechanism to split the handshake so the private key stays in an HSM at a secure location but the rest of the protocol runs from local servers.

    Simon Yoffe is exercised about corporate secrets being kept on personal phones. He has patented a hardware security switch to give positive user control over the phone camera, microphone, GPS and the SIM.

    Jeremiah Blocki has a scheme for human computable passwords; people memorise a random mapping between single digits and images. On presented with two image challenges he does addition mod 10 and uses this as an index into a table. See http://arxiv.org/abs/1404.0024

    Aaron Jaggard talked on Accountability, Deterrence and Identifiability, a project with Joan Feigenbaum and Rebecca Wright whose goal is to formalise the relationships between these concepts. They use quasilinear utilities to build economic models of how the reputation of nyms evolves.

    Aaron’s second talk was on representing network trust by means of Bayesian belief networks on network elements; he is using them to model properties of correlation attacks on Tor.

    Kartik Nayak talked on exploitation: what, when and how often. How does the security of a product change over time? Attack surfaces are hard to measure and CVSS doesn’t tell of attack frequency. He argues that we should use the field data: number of exploited versus disclosed vulns, i.e. the developer’s view versus the user’s (the latter is getting better); the attack volume is better than the attack surface.

    Brian Parno talked about “ironclad apps” developed at Microsoft Research; it combines trusted computing hardware, crypto and formal verification. They have “boogie” microkernel code in assembler and “dafny” library and app code; all of it verified. This supports crypto and a network stack, plus a notary to sign stuff and a password vault.

    Xiao Wang’s subject was oblivious data structures: can oblivious RAM hide access patterns and thus data leakage? At present the crypto is too expensive as the access pattern is a complete graph. But often more restricted access is sufficient, which enables the crypto to be optimised.

    Jeremy Epstein talked on the NSF’s Funding Opportunities in Secure and Trustworthy Cyberspace (SaTC). This spent $80m in FY14 with 650 active grants; the FY15 cycle begins this fall. New collaborations will be funded between computer scientists and social scientists.

    Finally I announced that registration for WEIS should open tomorrow. (It should have been today, but Jens is still struggling with the admin machinery at Penn State, which underlines the fact that systems usually fail not because of technology but because of incentives, and the way these work out in real organisations!)

  10. Sai Teja Peddinti kicked off Wednesday’s proceedings with Cloak and Swagger: Understanding Data Sensitivity Through the Lens of User Anonymity. Granular privacy controls are too hard to manage because they are a lot of work and social context changes constantly. How can web sites identify sensitive data automatically, so that they don’t pop up inappropriate ads on a user’s Facebook page? Sai wondered whether he could mine sensitivity by observing whether people used existing privacy tools such as private browsing and anonymous commenting, and analysed over a million answers on Quora over 60,000 topics to see if this was effective. On average 17% of answers were anonymous. This was elevated not just for sex, religion and mental illness, but also for personal experiences, career, relationships, and social issues such as immigration and racism. There were some quite specific effects: a question on how Zynga employees felt about the 2012 stock price drop drew 21 answers of which 16 were anonymous. There was a high correlation between search engine privacy rating and anonymity preference. He then worked word anonymity ratio (how often words were used in anonymous answers versus all answers) and word colocation analysis: both gave cheap and effective tools (they predict question sensitivity 80% of the time, and 88% for answers).

    Nuno Neves spoke on Stopping a Rapid Tornado with a Puff. Digital fountain codes are attractive for many broadcast applications; people use rapid tornado (raptor) codes such as R10 and RaptorQ (RFC 6330). A RaptorQ encoder adds R repair symbols to each K source symbols; there is a vey low probability of failure against random error; but it turns out to be vulnerable to malicious erasures. He has an algorithm for determining minimal erasures that will make the decoding equations indeterminate. Often it’s between one and four packets, assuming you choose the right ones! He leverages this to a service-denial attack on TFTP over IPSEC over RaptorQ. Countermeasures could include using a cryptographically secure PRNG to reorder the packet identifiers so that the attacker can’t spot the vulnerable packets, or just encrypting the whole channel. (Source code at http://www.lasige.di.fc.ul.pt/openrq)

    Michael Rushanan gave a systematisation of knowledge talk on Security and Privacy in Implantable Medical Devices and Body Area Networks. Implantable devices often have security issues but are safety critical; they must fail open, and their batteries must last 5-7 years. For example a patient’s implantable cardioverter-defibrillator will download private information to a programmer in a clinic, and receive therapy adjustments. Attack surfaces include the telemetry interface, the device software, and the hardware sensor interface; protection mechanisms tend to be optional in standards, and come second to interoperability. There have been dozens of papers on this since 2003, many of them proposing application of mechanisms such as distance bounding and anomaly detection; most of the academic literature focuses on the telemetry interface, and tend not to look at denial of service or compromise of programmer devices. There are also issues around using physiological values as sources of protocol randomness. At the macro level, reproducibility is poor as ICDs are hard to get; people scavenge from funeral homes, so devices are out of date and reproducibility is hard. Brain-computer interfaces might be a cool future research area with interesting side channels based on recognition. In questions, I noted Harold Thimbleby’s related work on safety usability which was the keynote at SOUPS last year.

    Piotr Mardziel’s topic was Quantifying Information Flow for Dynamic Secrets. Some services necessarily leak private information, from location-based services to address space randomisation. Piotr’s interested in measuring how much but assessing the probability of an optimal adversary succeeding. If secrets are dynamic, adversaries have to calculate how long to wait. Simple Bayesian models often do best: you work out expected gains based on prior observations, and there are some interactions with search algorithms. There is an uneasy balance between hiding the secret, and hiding the mechanism for changing the secret, with occasional perverse twists. Yet adaptation has been largely ignored in the quantitative information flow literature. His implementation and experiments are online at http://ter.ps/dgif.

  11. Adam Everspaugh talked about Not-So-Random Numbers in Virtualized Linux and the Whirlwind RNG. This is a systematic study of random number generators and virtualisation. They study two folk theorems: that virtualisation can leak or duplicate RNG state, and that virtualised environments don’t have enough randomness to seed RNGs properly. They find the first is substantiated but the second is not. Linux RNG in particular is not reset secure; /dev/urandom gives the same first dozen or so outputs until environmental randomness starts to percolate in. Generating an RSA key on resumption (openssl genrsa) gives the same key nine times out of ten. The implementation is so careful and complex that it takes time for new interrupts to get stirred into the pool. He found an entropy starvation attack in which a user can extend the delay indefinitely and this works on FreeBSD and Windows too (as well as VMWare and Xen). He found however by instrumenting VMware, Xen and EC2 that enough entropy flows into the system. Finally, he tried his hand at a clean-slate RNG design, “Whirlpool”, that keeps the same interfaces but has both fast and slow seed chains inspired by Yarrow. The first ensures rapid secure state change after resumption (with data injected from the hypervisor) while the second blocks checkpoint attacks, thus providing reset security by design.

    Enes Göktaş spoke next on Out Of Control: Overcoming Control-Flow Integrity. He argues that practical implementations of Abadi’s control-flow integrity are not powerful enough to block attacks based on return-oriented programming as you can jump to invalid branch targets. He has developed two new classes of gadgets (call site and entry point gadgets) of which large binaries contain thousands. He refers to this as call-oriented programming. As proof of concept he built an exploit of IE 8. He recommends that existing ROP countermeasures be combined with run-time control-flow enforcement.

    Fabian Yamaguchi has been working on Modeling and Discovering Vulnerabilities with Code Property Graphs. Simple tools like grep can be powerful at finding even subtle bugs in the hands of experts; this inspired Fabien to build a code mining tool. Based on a study of all Linux kernel vulnerabilities in 2012, this parses the code to an abstract syntax tree, the control flow graph and program dependence graph. This lets the analyst ask “Find a call to foo in a statement where data flow exists to a statement that contains a call to bar”. This entails merging the AST, CFG and PDG into a “code property graph” in which vulnerabilities can be described as traversals (descriptions of paths from start nodes to interesting ones). For example, the graph language gremlin lets you find traversals. However that only gives you syntax, which isn’t enough to find most vulnerabilities: for that you need to look for unsanitised paths. Applying this to the Linux kernel found five hits of which four were previously unknown buffer overflows; Qualcomm found about 100 issues in their code from nine queries. A further 18 vulnerabilities were found in Linux once they tried further queries for other types of bug. See http://codeexploitation.blogspot.de for the tool.

    Bushan Jain was the last speaker of the morning with a systematisation of knowledge paper on Introspections on Trust and the Semantic Gap. This covers a dozen years of research on virtual machine introspection tools that seek to bridge the gap between a hypervisor and a guest operating system. This usually ends up reintroducing some trust in the guest, and even making light modifications to it to prove correctness; in fact there are ubiquitous trust assumptions across all VMI designs. This is fine for a benign guest OS, but the VMI problem is still open for a malicious one; a way forward might be to use adversarial machine learning techniques continuously on the guest.

  12. Chang Liu’s topic was Automating Efficient RAM-Model Secure Computation which involves using oblivious RAM to improve secure multiparty computation. He has a compiler which will generate a protocol given input code for the problem to be shared. An issue is the program counter leaking information, so his protocol has instruction-trace and memory-trace obliviousness. The compiler backend is a garbled circuit simulator.

    Mohammed Naveed’s project is Dynamic Searchable Encryption via Blind Storage. A problem with using crypto in cloud services is that storage and CPU may be separated; Mohammed has a proposal for encrypting indexes to file stores separately. It involves a matrix of hashes in a blind store. The cost of retrieving a file is 20Kb plus four times the file’s size.

    The third speaker was Aseem Rastogi, on Wysteria: A Programming Language for Generic, Mixed-mode Multiparty Computations. Existing models of secure multiparty computations can’t deal with obvious applications such as dealing cards in an online game, as these are mixed-mode in the sense that local private computations are interspersed with rounds of SMC. Aseem has created a language, Wysteria, which is similar to OCaml and can handle this. Private computations are compiled locally while shared ones are turned at runtime into “wire bundles” to do the SMC.

  13. Daniel Fett and Guido Schmitz shared the presentation of their paper An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System. They have a model of web security that tries to model both good and bad scripts acting in the complex frameworks now emerging. as an example, they analyse Mozilla Persona, a recent real-world single sign-on system that employs AJAX, cross-document messaging and HTML5 to give users a uniform way to log in to web pages without a central authority where privacy could be compromised. They found a number of attacks that are now being fixed.

    Jerry Ma presented A Study of Probabilistic Password Models. Some password models (type 1) study what makes users choose better passwords; others (type 2) design better cracking utilities. For dealing with large corpora with millions or billions of passwords, he proposes using probability threshold graphs, based on the average negative log likelihood, which is the area left of the threshold curve. They are easier to compute than guess likelihood graphs used at present, and have interesting interactions with Markov models: he suggests using a variable-order Markov chain, with higher order for larger probabilities. This did best when he tested various probability models on Rockyou and other large datasets.

    The last talk at Oakland was given by Shrirang Mare on ZEBRA: Zero-Effort Bilateral Recurring Authentication. Shrirang found that in a hospital deauthentication is a problem: login timeouts are too short or too long. So people forget to log out, and one doctor even got a nurse to press a spacebar regularly to prevent it logging him out. Auto-logout systems based on human proximity detection, facial recognition and keystroke biometrics have their own problems. His proposal is to give users a wristband whose movement is correlated with user typing behaviour. He calls it bilateral authentication, as it combines a sensor device and software, which work together to authenticate the user. Typing, scrolling and mouse-keyboard switching all have different characteristics. His system can identify an adversary who’s taken over a PC within 50 seconds with 90% accuracy.

Leave a Reply to Adam Shostack Cancel reply

Your email address will not be published. Required fields are marked *