CSET '19 Workshop Program

This paper describes the work of introducing a CPS (Cyber Physical System) extension to our Internet event simulator at Iowa State University, known as ISEAGE, for Cyber Defense Competitions (CDCs). The CPS extension consists of a virtual control system to interface with CPS devices, a human machine interface (HMI) to access and control the devices, a virtual world to simulate the physical effects of the devices, and a backend to support the use of the CPS component in CDCs. These components communicate with each other using the Open Platform Communications standard. A CPS-CDC scenario is developed where participants are tasked with defending two CPS networks representing water and power utilities. To enhance the experience for participants, we also 3D-print a model of the virtual city served by these utilities. The 3D city reflects the state of the competition via LEDs that report the availability of services. The design of our CPS-CDC is highly modular, supporting any number of different CPS devices and systems, and can be adapted to a wide set of possible CPS scenarios.

This paper describes the Triton federated-avionics security testbed that supports testing real aircraft electronic systems for security vulnerabilities. Because modern aircraft are complex systems of systems, the Triton testbed allows multiple systems to be instantiated for analysis in order to observe the aggregate behavior of multiple aircraft systems and identify their potential impact on flight safety. We describe two attack scenarios that motivated the design of the Triton testbed: ACARS message spoofing and the software update process for aircraft systems. The testbed allows us to analyze both scenarios to determine whether adversarial interference in their expected operation could cause harm. This paper does not describe any vulnerabilities in real aircraft systems; instead, it describes the design of the Triton testbed and our experiences using it.

One of the key features of the Triton testbed is the ability to mix simulated, emulated, and physical electronic systems as necessary for a particular experiment or analysis task. A physical system may interact with a simulated component or a system whose software is running in an emulator. To facilitate rapid reconfigurability, Triton is also entirely software reconfigurable: all wiring between components is virtual and can be changed without physical access to components. A prototype of the Triton testbed is used at two universities to evaluate the security of aircraft systems.

Nearly all modern software suffers from bloat that negatively impacts its performance and security. To combat this problem, several automated techniques have been proposed to debloat software. A key metric used in these works to demonstrate improved security is code reuse gadget count reduction. The use of this metric is based on the prevailing idea that reducing the number of gadgets available in a software package reduces its attack surface and makes mounting a gadget-based code reuse exploit such as return-oriented programming (ROP) more difficult for an attacker. In this paper, we challenge this idea and show through a variety of realistic debloating scenarios the flaws inherent to the gadget count reduction metric. Specifically, we demonstrate that software debloating can achieve high gadget count reduction rates, yet fail to limit an attacker’s ability to construct an exploit. Worse yet, in some scenarios high gadget count reduction rates conceal instances in which software debloating makes security worse by introducing new quality gadgets. To address these issues, we propose new metrics based on quality rather than quantity for assessing the security impact of software debloating. We show that these metrics can be efficiently calculated with our Gadget Set Analyzer tool. Finally, we demonstrate the utility of these metrics through a realistic debloating case study.

Cybersecurity researchers and practitioners continually propose products and services to secure and protect against cyberthreats. Even when backed by solid cybersecurity science, these offerings are sometimes misaligned with customers’ practical needs. The Innovation Corps (I-Corps) methodology attempts to help innovators, researchers, and practitioners maximize their success through deliberate customer discovery. The National Security Agency (NSA) has adopted I-Corps for internal innovation and optimization. In February 2019, NSA Cybersecurity Operations embarked on a study using this methodology to explore cyber threat intelligence sharing. Information sharing is a foundational practice in cybersecurity. The NSA also shares cyber indicators with authorized partners, and sought to understand how partners consumed and valued the information to better tailor it to their needs. After more than 60 customer discovery problem interviews with over 20 partners, six primary themes emerged. We describe our experiences using the I-Corps methodology to study and optimize internal processes, and lessons learned from applying it to information sharing. These insights may inform future applications of I-Corps to other areas of cybersecurity research, practice, and commercialization.

Secure transport protocols have become widespread in recent years, primarily due to growing adoption of HTTPS and SMTP over TLS. Worryingly, prior user studies have shown that users often do not understand the security that is provided by these protocols and may assume protections that do not exist. This study investigates how the security protocol knowledge gap impacts user behavior by performing a phishing experiment on 266 users that A/B tests the effects of HTTP/HTTPS and SMTP/SMTP+TLS on phishing susceptibility. Secure email transport had minimal effect, while HTTPS increased the click-through rate of email phishing links (72.0% HTTPS, 60.0% HTTP) and the credential-entry rate of phishing sites (58.0% HTTPS, 55.6% HTTP). However, our results are merely suggestive and do not rise to the level of statistical significance (p = 0.17 click-through, p = 0.31 credential-entry). To better understand the factors that affect credential-entry, we categorized differences in browser presentation of HTTP/HTTPS and correlated participant susceptibility with browser URL display features. We administered a follow-up survey for phishing victims, which was designed to provide qualitative insights for observed outcomes, but it did not yield meaningful results. Overall, this study is a suggestive look at the behavioral impact of secure transport protocols and can serve as a basis for future larger-scale studies.

Time-driven and access-driven attacks are two dominant types of the timing-based cache side-channel attacks. Despite access-driven attacks are popular in recent years, investigating the time-driven attacks is still worth the effort. It is because, in contrast to the access-driven attacks, time-driven attacks are independent of the attackers’ cache access privilege.

Although cache configurations can impact the time-driven attacks’ performance, it is unclear how different cache parameters influence the attacks’ success rates. This question remains open because it is extremely difficult to conduct comparative measurements. The difficulty comes from the unavailability of the configurable caches in existing CPU products.

In this paper, we utilize the GEM5 platform to measure the impacts of different cache parameters, including Private Cache Size and Associativity, Shared Cache Size and Associativity, Cacheline Size, Replacement Policy, and Clusivity. In order to make the time-driven attacks comparable, we define the equivalent key length (EKL) to describe the attacks’ success rates. Key findings from the measurement results include (i) private cache has a key effect on the attacks’ success rates; (ii) changing shared cache has a trivial effect on the success rates, but adding neighbor processes can make the effect significant; (iii) the Random replacement policy leads to the highest success rates while the LRU/LFU are the other way around; (iv) the exclusive policy makes the attacks harder to succeed compared to the inclusive policy. We finally leverage these findings to provide suggestions to the attackers and defenders as well as the future system designers.

Recently, researchers have developed a wide range of distributed systems that rely on programmable data planes in emerging switch hardware. Unlike traditional SDN switches, these new switches can be reconfigured to support user-defined protocols, customized packet processing, and sophisticated state. However, despite their popularity, one aspect that has received very little attention is their security implications.

This paper describes our ongoing investigation on a new class of attacks to these systems, which we call sensitivity attacks. We found that an attacker can generate malicious traffic patterns to "flip" the expected behaviors of a data plane system. We propose an approach to discovering attack vectors in a given data plane system and generating patches, both in an automated manner, and we present a set of preliminary experiments to demonstrate the feasibility of this approach.

Defending against the threat of IoT malware will require new techniques and tools. An important security capability, that precedes a number of security analyses, is the ability to reverse engineer IoT malware binaries effectively. A key question is whether PC-oriented disassemblers can be effective on IoT malware, given the difference in the malware programs and the processors that support them. In this paper, we develop a systematic approach and a tool for evaluating the effectiveness of disassemblers on IoT malware binaries. The key components of the approach are: (a) we find the source code for 20 real-world malware programs, (b) we compile them to form a test set of 240 binaries using various compiler optimization options, device architectures, and consid- ering both stripped and unstripped versions of the binaries, and (c) we establish the ground-truth for all these binaries for six disassembly accuracy metrics, such as the percentage of correctly disassembled instructions, and the accuracy of the control flow graph. Overall, we find that IDA Pro performs well for unstripped binaries with a precision and recall accuracy of over 85% for all the metrics. However, IDA Pro’s performance deteriorates significantly with stripped binaries, mainly because the recall accuracy of identifying the start of functions drops to around 60% for both platforms. The results for the stripped ARM and MIPS binaries are similar to stripped x86 binaries in [1]. Interestingly, we find that most compiler optimization options, except the -O3 option for the MIPS architecture, do not cause any noticeable effect in the accuracy. We view our approach as an important capability for assessing and improving reverse engineering tools focusing on IOT malware.

When experimenting with cybersecurity technologies for industrial control systems, it is often difficult to develop a realistic, self-contained model that provides an ability to easily measure the effects of cyber behavior on the associated physical system. To address this challenge, we have created and instantiated a microgrid cyber-physical model, where both the power distribution and the individual loads are under the control and authority of one entity. This enables cybersecurity experimentation where attacks against the physical system (grid and buildings) can be measured and defended from a single entity's infrastructure. To achieve the appropriate levels of fidelity for cybersecurity effects, our microgrid model integrates multiple levels of simulation, hardware-in-the-loop, and virtualization. In this paper, we present how we designed and instantiated this test case model in a testbed infrastructure, our efforts to validate its operation, and an exemplary multistage attack scenario to showcase the model's utility.

The DComp Testbed effort has built a large-scale testbed, combining customized nodes and commodity switches with modular software to launch the Merge open source testbed ecosystem. Adopting EVPN routing, DCompTB employs a flexible and highly adaptable strategy to provision network emulation and infrastructure services on a per-experiment basis. Leveraging a clean separation of the experiment creation process into realization at the Merge portal and materialization on the DCompTB site, the testbed implementation embraces modularity throughout. This enables a well-defined orchestration system and an array of reusable modular tools to perform all essential functions of the DCompTB. Future work will evaluate the robustness, performance and maintainability of this testbed design as it becomes heavily used by research teams to evaluate opportunistic edge computing prototypes.