Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Overview
  • Symposium Organizers
  • Registration Information
  • Registration Discounts
  • At a Glance
  • Calendar
  • Technical Sessions
  • Birds-of-a-Feather Sessions
  • Poster Session
  • Sponsorship
  • Workshops
  • Activities
  • Hotel and Travel Information
  • Services
  • Students
  • Questions
  • Help Promote!
  • Flyer PDF
  • For Participants
  • Call for Papers
  • Past Symposia

sponsors

Silver Sponsor
Silver Sponsor
Silver Sponsor
Bronze Sponsor
Bronze Sponsor
Bronze Sponsor
Bronze Sponsor
Bronze Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Industry Partner

twitter

Tweets by USENIXSecurity

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » Technical Sessions
Tweet

connect with us

http://twitter.com/usenixsecurity
https://www.facebook.com/usenixassociation
http://www.linkedin.com/groups/USENIX-Association-49559/about
https://plus.google.com/108588319090208187909/posts
http://www.youtube.com/user/USENIXAssociation

Technical Sessions

To access a presentation's content, please click on its title below.

Symposium papers are available to registered attendees immediately and to everyone beginning Wednesday, August 14, 2013. Everyone can view the abstracts and the proceedings front matter immediately.

Proceedings Front Matter: 
Cover Page | Title Page and List of Organizers | Table of Contents | Message from the Program Chair

 USENIX Security '13 Full Proceedings (PDF)
 USENIX Security '13 Proceedings Interior (PDF, best for mobile devices)
 USENIX Security '13 Erratum (PDF)
 USENIX Security '13 Full Proceedings (EPUB)
 USENIX Security '13 Full Proceedings (MOBI)

Attendee Files 

(Registered attendees: Sign in to your USENIX account to download this file.)

Downloadable Proceedings Archive for Registered Attendees

 

Wednesday, August 14, 2013

8:15 a.m.–8:45 a.m. Wednesday

Continental Breakfast

Hall of Battles

8:45 a.m.–9:00 a.m. Wednesday

Opening Remarks and Awards

Regency Ballroom

Program Chair: Sam King, University of Illinois and Adrenaline Mobility

Presentation of the USENIX Security '13 Best Paper Awards and the 2013 USENIX Security Test of Time Award

9:00 a.m.–10:30 a.m. Wednesday

Wednesday Keynote Address

Regency Ballroom

Dr. Felten Goes To Washington: Lessons from 18 Months in Government

Edward W. Felten, Director, Center for Information Technology Policy, and Professor of Computer Science and Public Affairs, Princeton University; former Chief Technologist, U.S. Federal Trade Commission

This talk will describe the speaker's experience in government, where he served as the first Chief Technologist at the Federal Trade Commission. Technologists often complain that government is broken and policymakers are clueless, but the truth is more complicated. This talk will explain why government works differently, why it can be perfectly fine for policymakers to not understand how the Internet works, how to work effectively with government officials, why legislative strategy is NP-complete, and why we need more technologists to spend time in public service.

This talk will describe the speaker's experience in government, where he served as the first Chief Technologist at the Federal Trade Commission. Technologists often complain that government is broken and policymakers are clueless, but the truth is more complicated. This talk will explain why government works differently, why it can be perfectly fine for policymakers to not understand how the Internet works, how to work effectively with government officials, why legislative strategy is NP-complete, and why we need more technologists to spend time in public service.

Edward W. Felten is a Professor of Computer Science and Public Affairs at Princeton University, and the founding Director of Princeton's Center for Information Technology Policy. In 2011–12 he served as the first Chief Technologist at the U.S. Federal Trade Commission. His research interests include computer security and privacy, especially relating to media and consumer products; and technology law and policy. He has published about eighty papers in the research literature and two books. His research on topics such as Web security, copyright and copy protection, and electronic voting has been covered extensively in the popular press. His Weblog, at freedom-to-tinker.com, is widely read for its commentary on technology, law, and policy.

He is a member of the National Academy of Engineering and the American Academy of Arts and Sciences, and is a Fellow of the ACM. He has testified before the House and Senate committee hearings on privacy, electronic voting, and digital television. In 2004, Scientific American magazine named him to its list of fifty worldwide science and technology leaders.

Available Media
  • Read more about Dr. Felten Goes To Washington: Lessons from 18 Months in Government
10:30 a.m.–11:00 a.m. Wednesday

Break with Refreshments

Hall of Battles

11:00 a.m.–12:30 p.m. Wednesday

Network Security

Regency BCD

Session Chair: Chris Grier, University of California, Berkeley

Greystar: Fast and Accurate Detection of SMS Spam Numbers in Large Cellular Networks Using Gray Phone Space

Nan Jiang, University of Minnesota; Yu Jin and Ann Skudlark, AT&T Labs; Zhi-Li Zhang, University of Minnesota

In this paper, we present the design of Greystar, an innovative defense system for combating the growing SMS spam traffic in cellular networks. By exploiting the fact that most SMS spammers select targets randomly from the finite phone number space, Greystar monitors phone numbers from the grey phone space (which are associated with data only devices like laptop data cards and machine-to-machine communication devices like electricity meters) and employs a novel statistical model to detect spam numbers based on their footprints on the grey phone space. Evaluation using five month SMS call detail records from a large US cellular carrier shows that Greystar can detect thousands of spam numbers each month with very few false alarms and 15% of the detected spam numbers have never been reported by spam recipients. Moreover, Greystar is much faster in detecting SMS spam than existing victim spam reports, reducing spam traffic by 75% during peak hours.

Available Media

Practical Comprehensive Bounds on Surreptitious Communication over DNS

Vern Paxson, University of California, Berkeley, and International Computer Science Institute; Mihai Christodorescu, Qualcomm Research; Mobin Javed, University of California, Berkeley; Josyula Rao, Reiner Sailer, Douglas Lee Schales, and Marc Ph. Stoecklin, IBM Research; Kurt Thomas, University of California, Berkeley; Wietse Venema, IBM Research; Nicholas Weaver, International Computer Science Institute and University of California, San Diego

DNS queries represent one of the most common forms of network traffic, and likely the least blocked by sites. As such, DNS provides a highly attractive channel for attackers who wish to communicate surreptitiously across a network perimeter, and indeed a variety of tunneling toolkits exist. We develop a novel measurement procedure that fundamentally limits the amount of information that a domain can receive surreptitiously through DNS queries to an upper bound specified by a site’s security policy, with the exact setting representing a tradeoff between the scope of potential leakage versus the quantity of possible detections that a site’s analysts must investigate.

Rooted in lossless compression, our measurement procedure is free from false negatives. For example, we address conventional tunnels that embed the payload in the query names, tunnels that repeatedly query a fixed alphabet of domain names or varying query types, tunnels that embed information in query timing, and communication that employs combinations of these. In an analysis of 230 billion lookups from real production networks, our procedure detected 59 confirmed tunnels. For the enterprise datasets with lookups by individual clients, detecting surreptitious communication that exceeds 4 kB/day imposes an average analyst burden of 1–2 investigations/week.

Available Media

Let Me Answer That for You: Exploiting Broadcast Information in Cellular Networks

Nico Golde, Kévin Redon, and Jean-Pierre Seifert, Technische Universität Berlin and Deutsche Telekom Innovation Laboratories

Mobile telecommunication has become an important part of our daily lives. Yet, industry standards such as GSM often exclude scenarios with active attackers. Devices participating in communication are seen as trusted and non-malicious. By implementing our own baseband firmware based on OsmocomBB, we violate this trust and are able to evaluate the impact of a rogue device with regard to the usage of broadcast information. Through our analysis we show two new attacks based on the paging procedure used in cellular networks. We demonstrate that for at least GSM, it is feasible to hijack the transmission of mobile terminated services such as calls, perform targeted denial of service attacks against single subscribers and as well against large geographical regions within a metropolitan area.

Available Media

Potpourri

Regency A

Session Chair: David Wagner, University of California, Berkeley

Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations

Istvan Haller and Asia Slowinska, VU University Amsterdam; Matthias Neugschwandtner, Vienna University of Technology; Herbert Bos, VU University Amsterdam

Dowser is a ‘guided’ fuzzer that combines taint tracking, program analysis and symbolic execution to find buffer overflow and underflow vulnerabilities buried deep in a program’s logic. The key idea is that analysis of a program lets us pinpoint the right areas in the program code to probe and the appropriate inputs to do so.

Intuitively, for typical buffer overflows, we need consider only the code that accesses an array in a loop, rather than all possible instructions in the program. After finding all such candidate sets of instructions, we rank them according to an estimation of how likely they are to contain interesting vulnerabilities. We then subject the most promising sets to further testing. Specifically, we first use taint analysis to determine which input bytes influence the array index and then execute the program symbolically, making only this set of inputs symbolic. By constantly steering the symbolic execution along branch outcomes most likely to lead to overflows, we were able to detect deep bugs in real programs (like the nginx webserver, the inspircd IRC server, and the ffmpeg videoplayer). Two of the bugs we found were previously undocumented buffer overflows in ffmpeg and the poppler PDF rendering library.

Available Media

MetaSymploit: Day-One Defense against Script-based Attacks with Security-Enhanced Symbolic Analysis

Ruowen Wang, Peng Ning, Tao Xie, and Quan Chen, North Carolina State University

A script-based attack framework is a new type of cyberattack tool written in scripting languages. It carries various attack scripts targeting vulnerabilities across different systems. It also supports fast development of new attack scripts that can even exploit zero-day vulnerabilities. Such mechanisms pose a big challenge to the defense side since traditional malware analysis cannot catch up with the emerging speed of new attack scripts. In this paper, we propose MetaSymploit, the first system of fast attack script analysis and automatic signature generation for a network Intrusion Detection System (IDS). As soon as a new attack script is developed and distributed, MetaSymploit uses security-enhanced symbolic execution to quickly analyze the script and automatically generate specific IDS signatures to defend against all possible attacks launched by this new script from Day One. We implement a prototype of MetaSymploit targeting Metasploit, the most popular penetration framework. In the experiments on 45 real attack scripts, MetaSymploit automatically generates Snort IDS rules as signatures that effectively detect the attacks launched by the 45 scripts. Furthermore, the results show that MetaSymploit substantially complements and improves existing Snort rules that are manually written by the official Snort team.

Available Media

Towards Automatic Software Lineage Inference

Jiyong Jang, Maverick Woo, and David Brumley, Carnegie Mellon University

Software lineage refers to the evolutionary relationship among a collection of software. The goal of software lineage inference is to recover the lineage given a set of program binaries. Software lineage can provide extremely useful information in many security scenarios such as malware triage and software vulnerability tracking.

In this paper, we systematically study software lineage inference by exploring four fundamental questions not addressed by prior work. First, how do we automatically infer software lineage from program binaries? Second, how do we measure the quality of lineage inference algorithms? Third, how useful are existing approaches to binary similarity analysis for inferring lineage in reality, and how about in an idealized setting? Fourth, what are the limitations that any software lineage inference algorithm must cope with?

Towards these goals we build ILINE, a system for automatic software lineage inference of program binaries, and also IEVAL, a system for scientific assessment of lineage quality. We evaluated ILINE on two types of lineage—straight line and directed acyclic graph—with large-scale real-world programs: 1,777 goodware spanning over a combined 110 years of development history and 114 malware with known lineage collected by the DARPA Cyber Genome program. We used IEVAL to study seven metrics to assess the diverse properties of lineage. Our results reveal that partial order mismatches and graph arc edit distance often yield the most meaningful comparisons in our experiments. Even without assuming any prior information about the data sets, ILINE proved to be effective in lineage inference—it achieves a mean accuracy of over 84% for goodware and over 72% for malware in our datasets.

Available Media
12:30 p.m.–2:00 p.m. Wednesday

Lunch, on your own

2:00 p.m.–3:30 p.m. Wednesday

Mobile Security I

Regency BCD

Session Chair: Patrick Traynor, Georgia Institute of Technology

Securing Embedded User Interfaces: Android and Beyond

Franziska Roesner and Tadayoshi Kohno, University of Washington

Web and smartphone applications commonly embed third-party user interfaces like advertisements and social media widgets. However, this capability comes with security implications, both for the embedded interfaces and the host page or application. While browsers have evolved over time to address many of these issues, mobile systems like Android—which do not yet support true cross-application interface embedding—present an opportunity to redesign support for secure embedded user interfaces from scratch. In this paper, we explore the requirements for a system to support secure embedded user interfaces by systematically analyzing existing systems like browsers, smartphones, and research systems. We describe our experience modifying Android to support secure interface embedding and evaluate our implementation using case studies that rely on embedded interfaces, such as advertisement libraries, Facebook social plugins (e.g., the “Like” button), and access control gadgets. We provide concrete techniques and reflect on lessons learned for secure embedded user interfaces.

Available Media

Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications

Benjamin Livshits and Jaeyeon Jung, Microsoft Research

Mobile app development best practices suggest that developers obtain opt-in consent from users prior to accessing potentially sensitive information on the phone. We study challenges that mobile application developers have with meeting such requirements, and highlight the promise of using new automated, static analysis-based solutions that identify and insert missing prompts in order to guard otherwise unprotected resource accesses. We find evidence that third-party libraries, incorporated by developers across the mobile industry, may access privacy-sensitive resources without seeking consent or even against the user’s choice. Based on insights from real examples, we develop the theoretical underpinning of the problem of mediating resource accesses in mobile applications. We design and implement a graph-theoretic algorithm to place mediation prompts that protect every resource access, while avoiding repetitive prompting and prompting in background tasks or third-party libraries.

We demonstrate the viability of our approach by analyzing 100 apps, averaging 7.3 MB in size and consisting of dozens of DLLs. Our approach scales well: once an app is represented in the form of a graph, the remaining static analysis takes under a second on average. Overall, our strategy succeeds in about 95% of all unique cases.

Available Media

Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies

Sven Bugiel, Saarland University; Stephan Heuser, Fraunhofer SIT; Ahmad-Reza Sadeghi, Technische Universität Darmstadt and Center for Advanced Security Research Darmstadt

In this paper we tackle the challenge of providing a generic security architecture for the Android OS that can serve as a flexible and effective ecosystem to instantiate different security solutions. In contrast to prior work our security architecture, termed FlaskDroid, provides mandatory access control simultaneously on both Android’s middleware and kernel layers. The alignment of policy enforcement on these two layers is non-trivial due to their completely different semantics. We present an efficient policy language (inspired by SELinux) tailored to the specifics of Android’s middleware semantics. We show the flexibility of our architecture by policy-driven instantiations of selected security models such as the existing work Saint as well as a new privacy-protecting, user-defined and fine-grained per-app access control model. Other possible instantiations include phone booth mode, or dual persona phone. Finally we evaluate our implementation on SE Android 4.0.4 illustrating its efficiency and effectiveness.

Available Media

Invited Talk

Regency A

Windows 8 Security: Supporting User Confidence

Crispin Cowan, Senior Program Manager, Windows Core Security, Microsoft, Inc.

Computing appliances should let users just use the device without having to having to “be careful” what they click on. Worse, “being careful” doesn’t even work anymore, as attackers have invaded nearly every aspect of digital life, and so could be lurking in search engine results, social networks, and even app stores. Windows 8 provides security features such as malware resistance, app isolation, and modernized access controls that defend against attacks by both technical and social means, giving the user the confidence to click what they want. Windows 8 can be used by any member of the family, and network administrators can confidently deploy Windows 8 to their users, without fearing that the user will be co-opted by attackers.

Computing appliances should let users just use the device without having to having to “be careful” what they click on. Worse, “being careful” doesn’t even work anymore, as attackers have invaded nearly every aspect of digital life, and so could be lurking in search engine results, social networks, and even app stores. Windows 8 provides security features such as malware resistance, app isolation, and modernized access controls that defend against attacks by both technical and social means, giving the user the confidence to click what they want. Windows 8 can be used by any member of the family, and network administrators can confidently deploy Windows 8 to their users, without fearing that the user will be co-opted by attackers.

Crispin Cowan entered the security arena in 1998 at the Seventh USENIX Security Symposium with the StackGuard paper, which introduced stack canaries for buffer overflow protection, a technique now used on nearly all platforms. From 1999 to 2007 he was the founding CTO of Immunix, which was acquired by Novell in 2005 to incorporate AppArmor into SUSE Linux. Since 2008, Crispin has worked for Microsoft, continuing his work adding security value to existing operating systems, but now doing it for Windows. Crispin is especially interested in usable security and effective sandboxing, and so has contributed to improving usability in UAC and to building the app container feature to allow users to run Windows Store Apps with confidence. Crispin’s contribution to the upcoming Windows 8.1 has been enhancing the systematic security reviews to ensure that all Windows features ship with appropriate security considerations in mind. He holds a Ph.D. from the University of Western Ontario and a Master's in Mathematics from the University of Waterloo.

Available Media
  • Read more about Windows 8 Security: Supporting User Confidence
3:30 p.m.–4:00 p.m. Wednesday

Break with Refreshments

Hall of Battles

4:00 p.m.–5:30 p.m. Wednesday

Applied Crypto I

Regency BCD

Session Chair: Ian Goldberg, University of Waterloo

Proactively Accountable Anonymous Messaging in Verdict

Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford, Yale University

Among anonymity systems, DC-nets have long held attraction for their resistance to traffic analysis attacks, but practical implementations remain vulnerable to internal disruption or “jamming” attacks, which require time-consuming detection procedures to resolve. We present Verdict, the first practical anonymous group communication system built using proactively verifiable DC-nets: participants use public-key cryptography to construct DC-net ciphertexts, and use zero-knowledge proofs of knowledge to detect and exclude misbehavior before disruption. We compare three alternative constructions for verifiable DC-nets: one using bilinear maps and two based on simpler ElGamal encryption. While verifiable DC-nets incur higher computational overheads due to the public-key cryptography involved, our experiments suggest that Verdict is practical for anonymous group messaging or microblogging applications, supporting groups of 100 clients at 1 second per round or 1000 clients at 10 seconds per round. Furthermore, we show how existing symmetric-key DC-nets can “fall back” to a verifiable DC-net to quickly identify misbehavior, speeding up previous detections schemes by two orders of magnitude.

Available Media

ZQL: A Compiler for Privacy-Preserving Data Processing

Cédric Fournet, Markulf Kohlweiss, and George Danezis, Microsoft Research; Zhengqin Luo, MSR-INRIA Joint Centre

ZQL is a query language for expressing simple computations on private data. Its compiler produces code to certify data, perform client-side computations, and verify the correctness of their results. Under the hood, it synthesizes zero-knowledge protocols that guarantee both integrity of the query results and privacy for all other data.

We present the ZQL language, its compilation scheme down to concrete cryptography, and the security guarantees it provides. We report on a prototype compiler that produces F# and C++. We evaluate its performance on queries for smart-meter billing, for pay-as-you-drive insurance policies, and for location-based services.

Available Media

DupLESS: Server-Aided Encryption for Deduplicated Storage

Mihir Bellare and Sriram Keelveedhi, University of California, San Diego; Thomas Ristenpart, University of Wisconsin-Madison

Cloud storage service providers such as Dropbox, Mozy, and others perform deduplication to save space by only storing one copy of each file uploaded. Should clients conventionally encrypt their files, however, savings are lost. Message-locked encryption (the most prominent manifestation of which is convergent encryption) resolves this tension. However it is inherently subject to brute-force attacks that can recover files falling into a known set. We propose an architecture that provides secure deduplicated storage resisting brute-force attacks, and realize it in a system called DupLESS. In DupLESS, clients encrypt under message-based keys obtained from a key-server via an oblivious PRF protocol. It enables clients to store encrypted data with an existing service, have the service perform deduplication on their behalf, and yet achieves strong confidentiality guarantees. We show that encryption for deduplicated storage can achieve performance and space savings close to that of using the storage service with plaintext data.

Available Media

Large-Scale Systems Security I

Regency A

Session Chair: Niels Provos, Google

Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse

Kurt Thomas, University of California, Berkeley, and Twitter; Damon McCoy, George Mason University; Chris Grier, University of California, Berkeley, and International Computer Science Institute; Alek Kolcz, Twitter; Vern Paxson, University of California, Berkeley, and International Computer Science Institute

As web services such as Twitter, Facebook, Google, and Yahoo now dominate the daily activities of Internet users, cyber criminals have adapted their monetization strategies to engage users within these walled gardens. To facilitate access to these sites, an underground market has emerged where fraudulent accounts – automatically generated credentials used to perpetrate scams, phishing, and malware – are sold in bulk by the thousands. In order to understand this shadowy economy, we investigate the market for fraudulent Twitter accounts to monitor prices, availability, and fraud perpetrated by 27 merchants over the course of a 10-month period. We use our insights to develop a classifier to retroactively detect several million fraudulent accounts sold via this marketplace, 95% of which we disable with Twitter’s help. During active months, the 27 merchants we monitor appeared responsible for registering 10–20% of all accounts later flagged for spam by Twitter, generating $127–459K for their efforts.

Available Media

Impression Fraud in On-line Advertising via Pay-Per-View Networks

Kevin Springborn, Broadcast Interactive Media; Paul Barford, Broadcast Interactive Media and University of Wisconsin—Madison

Advertising is one of the primary means for revenue generation for millions of websites and mobile apps. While the majority of online advertising revenues are based on pay-per-click, alternative forms such as impression-based display and video advertising have been growing rapidly over the past several years. In this paper, we investigate the problem of invalid traffic generation that aims to inflate advertising impressions on websites. Our study begins with an analysis of purchased traffic for a set of honeypot websites. Data collected from these sites provides a window into the basic mechanisms used for impression fraud and in particular enables us to identify pay-per-view (PPV) networks. PPV networks are comprised of legitimate websites that use JavaScript provided by PPV network service providers to render unwanted web pages "underneath" requested content on a real user’s browser so that additional advertising impressions are registered. We describe the characteristics of the PPV network ecosystem and the typical methods for delivering fraudulent impressions. We also provide a case study of scope of PPV networks in the Internet. Our results show that these networks deliver hundreds of millions of fraudulent impressions per day, resulting in hundreds of millions of lost advertising dollars annually. Characteristics unique to traffic delivered via PPV networks are also discussed. We conclude with recommendations for countermeasures that can reduce the scope and impact of PPV networks.

Available Media

The Velocity of Censorship: High-Fidelity Detection of Microblog Post Deletions

Tao Zhu, Independent Researcher; David Phipps, Bowdoin College; Adam Pridgen, Rice University; Jedidiah R. Crandall, University of New Mexico; Dan S. Wallach, Rice University

Weibo and other popular Chinese microblogging sites are well known for exercising internal censorship, to comply with Chinese government requirements. This research seeks to quantify the mechanisms of this censorship: how fast and how comprehensively posts are deleted. Our analysis considered 2.38 million posts gathered over roughly two months in 2012, with our attention focused on repeatedly visiting “sensitive” users. This gives us a view of censorship events within minutes of their occurrence, albeit at a cost of our data no longer representing a random sample of the general Weibo population. We also have a larger 470 million post sampling from Weibo’s public timeline, taken over a longer time period, that is more representative of a random sample.

We found that deletions happen most heavily in the first hour after a post has been submitted. Focusing on original posts, not reposts/retweets, we observed that nearly 30% of the total deletion events occur within 5–30 minutes. Nearly 90% of the deletions happen within the first 24 hours. Leveraging our data, we also considered a variety of hypotheses about the mechanisms used by Weibo for censorship, such as the extent to which Weibo’s censors use retrospective keyword-based censorship, and how repost/retweet popularity interacts with censorship. We also used natural language processing techniques to analyze which topics were more likely to be censored.

Available Media
6:00 p.m.–7:30 p.m. Wednesday

USENIX Security '13 Symposium Reception

Columbia ABC and Foyer

Don't miss the USENIX Security '13 Symposium Reception, featuring dinner, drinks, and the chance to connect with other attendees, speakers, and conference organizers.

8:00 p.m.–9:30 p.m. Wednesday

USENIX Security '13 Rump Session

Regency A

We will host a rump session on the evening of Wednesday, August 14, 2013. This is intended as an informal session for short and engaging presentations on recent unpublished results, work in progress, or other topics of interest to the USENIX Security attendees. As in the past, talks do not always need to be serious. To submit a rump session talk, email sec13rump@usenix.org by Wednesday, August 14, 2013, 11:59 a.m. EDT.

 

Thursday, August 15, 2013

8:30 a.m.–9:00 a.m. Thursday

Continental Breakfast

Hall of Battles

9:00 a.m.–10:30 a.m. Thursday

Thursday Keynote Address

Regency Ballroom

The White House's Priorities for Cybersecurity

Andy Ozment, Senior Director for Cybersecurity, White House

Andy Ozment will describe the view on cybersecurity from the White House, including the Administration's cybersecurity priorities and the current state of cybersecurity legislation. Andy will also discuss the implementation of Executive Order 13636 on Improving Critical Infrastructure Cybersecurity, which the President announced at the State of the Union.

Andy Ozment will describe the view on cybersecurity from the White House, including the Administration's cybersecurity priorities and the current state of cybersecurity legislation. Andy will also discuss the implementation of Executive Order 13636 on Improving Critical Infrastructure Cybersecurity, which the President announced at the State of the Union.

Dr. Andy Ozment is the Senior Director for Cybersecurity at the White House. As one of two deputies to the Cybersecurity Coordinator, Andy leads a team of individuals who develop national policy and coordinate federal cybersecurity efforts in the areas of critical infrastructure protection, legislative proposals, executive branch security, privacy and civil liberties, information sharing, and incident response. In a prior stint at the White House, Andy led the effort to develop the National Strategy for Trusted Identities in Cyberspace (NSTIC) and established the Administration’s priorities for federal agency cybersecurity.

Andy has previously worked in operational network security, as a programmer, in government policy, and as a researcher in different government agencies, academia, and industry. He has a PhD in Computer Science from the University of Cambridge, an MS in International Relations from the London School of Economics, and a BS in Computer Science from Georgia Tech.

Available Media
  • Read more about The White House's Priorities for Cybersecurity
10:30 a.m.–11:00 a.m. Thursday

Break with Refreshments

Hall of Battles

11:00 a.m.–12:30 p.m. Thursday

Large-Scale Systems Security II

Regency BCD

Session Chair: Stuart Schechter, Microsoft Research

You Are How You Click: Clickstream Analysis for Sybil Detection

Gang Wang and Tristan Konolige, University of California, Santa Barbara; Christo Wilson, Northeastern University; Xiao Wang, Renren Inc.; Haitao Zheng and Ben Y. Zhao, University of California, Santa Barbara

Fake identities and Sybil accounts are pervasive in today’s online communities. They are responsible for a growing number of threats, including fake product reviews, malware and spam on social networks, and astroturf political campaigns. Unfortunately, studies show that existing tools such as CAPTCHAs and graph-based Sybil detectors have not proven to be effective defenses.

In this paper, we describe our work on building a practical system for detecting fake identities using server-side clickstream models. We develop a detection approach that groups “similar” user clickstreams into behavioral clusters, by partitioning a similarity graph that captures distances between clickstream sequences. We validate our clickstream models using ground-truth traces of 16,000 real and Sybil users from Renren, a large Chinese social network with 220M users. We propose a practical detection system based on these models, and show that it provides very high detection accuracy on our clickstream traces. Finally, we worked with collaborators at Renren and LinkedIn to test our prototype on their server-side data. Following positive results, both companies have expressed strong interest in further experimentation and possible internal deployment.

Available Media

Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness

Devdatta Akhawe, University of California, Berkeley; Adrienne Porter Felt, Google, Inc.

We empirically assess whether browser security warnings are as ineffective as suggested by popular opinion and previous literature. We used Mozilla Firefox and Google Chrome’s in-browser telemetry to observe over 25 million warning impressions in situ. During our field study, users continued through a tenth of Mozilla Firefox’s malware and phishing warnings, a quarter of Google Chrome’s malware and phishing warnings, and a third of Mozilla Firefox’s SSL warnings. This demonstrates that security warnings can be effective in practice; security experts and system architects should not dismiss the goal of communicating security information to end users. We also find that user behavior varies across warnings. In contrast to the other warnings, users continued through 70.2% of Google Chrome’s SSL warnings. This indicates that the user experience of a warning can have a significant impact on user behavior. Based on our findings, we make recommendations for warning designers and researchers.

Available Media

An Empirical Study of Vulnerability Rewards Programs

Matthew Finifter, Devdatta Akhawe, and David Wagner, University of California, Berkeley

We perform an empirical study to better understand two well-known vulnerability rewards programs, or VRPs, which software vendors use to encourage community participation in finding and responsibly disclosing software vulnerabilities. The Chrome VRP has cost approximately $580,000 over 3 years and has resulted in 501 bounties paid for the identification of security vulnerabilities. The Firefox VRP has cost approximately $570,000 over the last 3 years and has yielded 190 bounties. 28% of Chrome’s patched vulnerabilities appearing in security advisories over this period, and 24% of Firefox’s, are the result of VRP contributions. Both programs appear economically efficient, comparing favorably to the cost of hiring full-time security researchers. The Chrome VRP features low expected payouts accompanied by high potential payouts, while the Firefox VRP features fixed payouts. Finding vulnerabilities for VRPs typically does not yield a salary comparable to a full-time job; the common case for recipients of rewards in either program is that they have received only one reward. Firefox has far more critical-severity vulnerabilities than Chrome, which we believe is attributable to an architectural difference between the two browsers.

Available Media

Applied Crypto II

Regency A

Session Chair: Matt Green, Johns Hopkins University

Secure Outsourced Garbled Circuit Evaluation for Mobile Devices

Henry Carter, Georgia Institute of Technology; Benjamin Mood, University of Oregon; Patrick Traynor, Georgia Institute of Technology; Kevin Butler, University of Oregon

Garbled circuits provide a powerful tool for jointly evaluating functions while preserving the privacy of each user’s inputs. While recent research has made the use of this primitive more practical, such solutions generally assume that participants are symmetrically provisioned with massive computing resources. In reality, most people on the planet only have access to the comparatively sparse computational resources associated with their mobile phones, and those willing and able to pay for access to public cloud computing infrastructure cannot be assured that their data will remain unexposed. We address this problem by creating a new SFE protocol that allows mobile devices to securely outsource the majority of computation required to evaluate a garbled circuit. Our protocol, which builds on the most efficient garbled circuit evaluation techniques, includes a new outsourced oblivious transfer primitive that requires significantly less bandwidth and computation than standard OT primitives and outsourced input validation techniques that force the cloud to prove that it is executing all protocols correctly. After showing that our extensions are secure in the malicious model, we conduct an extensive performance evaluation for a number of standard SFE test applications as well as a privacy-preserving navigation application designed specifically for the mobile usecase. Our system reduces execution time by 98.92% and bandwidth by 99.95% for the edit distance problem of size 128 compared to non-outsourced evaluation. These results show that even the least capable devices are capable of evaluating some of the largest garbled circuits generated for any platform.

Available Media

On the Security of RC4 in TLS

Nadhem AlFardan, Royal Holloway, University of London; Daniel J. Bernstein, University of Illinois at Chicago and Technische Universiteit Eindhoven; Kenneth G. Paterson, Bertram Poettering, and Jacob C.N. Schuldt, Royal Holloway, University of London

The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks. TLS has become the de facto protocol standard for secured Internet and mobile applications. TLS supports several symmetric encryption options, including a scheme based on the RC4 stream cipher. In this paper, we present ciphertext-only plaintext recovery attacks against TLS when RC4 is selected for encryption. Our attacks build on recent advances in the statistical analysis of RC4, and on new findings announced in this paper. Our results are supported by an experimental evaluation of the feasibility of the attacks. We also discuss countermeasures.

Available Media

PCF: A Portable Circuit Format for Scalable Two-Party Secure Computation

Ben Kreuter, University of Virginia; Benjamin Mood, University of Oregon; Abhi Shelat, University of Virginia; Kevin Butler, University of Oregon

A secure computation protocol for a function ƒ (x,y) must leak no information about inputs x,y during its execution; thus it is imperative to compute the function ƒ in a data-oblivious manner. Traditionally, this has been accomplished by compiling ƒ into a boolean circuit. Previous approaches, however, have scaled poorly as the circuit size increases. We present a new approach to compiling such circuits that is substantially more efficient than prior work. Our approach is based on online circuit compression and lazy gate generation. We implemented an optimizing compiler for this new representation of circuits, and evaluated the use of this representation in two secure computation environments. Our evaluation demonstrates the utility of this approach, allowing us to scale secure computation beyond any previous system while requiring substantially less CPU time and disk space. In our largest test, we evaluate an RSA-1024 signature function with more than 42 billion gates, that was generated and optimized using our compiler. With our techniques, the bottleneck in secure computation lies with the cryptographic primitives, not the compilation or storage of circuits.

Available Media
12:30 p.m.–2:00 p.m. Thursday

Lunch, on your own

2:00 pm.–3:30 p.m. Thursday

Protecting and Understanding Binaries

Regency BCD

Session Chair: Ben Livshits, Microsoft Research

Control Flow Integrity for COTS Binaries

Mingwei Zhang and R. Sekar, Stony Brook University
Awarded Best Paper! 

Control-Flow Integrity (CFI) has been recognized as an important low-level security property. Its enforcement can defeat most injected and existing code attacks, including those based on Return-Oriented Programming (ROP). Previous implementations of CFI have required compiler support or the presence of relocation or debug information in the binary. In contrast, we present a technique for applying CFI to stripped binaries on x86/Linux. Ours is the first work to apply CFI to complex shared libraries such as glibc. Through experimental evaluation, we demonstrate that our CFI implementation is effective against control-flow hijack attacks, and eliminates the vast majority of ROP gadgets. To achieve this result, we have developed robust techniques for disassembly, static analysis, and transformation of large binaries. Our techniques have been tested on over 300MB of binaries (executables and shared libraries).

Available Media

Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring

Edward J. Schwartz, Carnegie Mellon University;  JongHyup Lee, Korea National University of Transportation; Maverick Woo and David Brumley, Carnegie Mellon University

There are many security tools and techniques for analyzing software, but many of them require access to source code. We propose leveraging decompilation, the study of recovering abstractions from compiled code, to apply existing source-based tools and techniques to compiled programs. A decompiler should focus on two properties to be used for security. First, it should recover abstractions as much as possible to minimize the complexity that must be handled by the security analysis that follows. Second, it should aim to recover these abstractions correctly.

Previous work in control-flow structuring, an abstraction recovery problem used in decompilers, does not provide either of these properties. Specifically, existing structuring algorithms are not semantics-preserving, which means that they cannot safely be used for decompilation without modification. Existing structural algorithms also miss opportunities for recovering control flow structure. We propose a new structuring algorithm in this paper that addresses these problems.

We evaluate our decompiler, Phoenix, and our new structuring algorithm, on a set of 107 real world programs from GNU coreutils. Our evaluation is an order of magnitude larger than previous systematic studies of end-to-end decompilers. We show that our decompiler outperforms the de facto industry standard decompiler Hex-Rays in correctness by 114%, and recovers 30× more controlflow structure than existing structuring algorithms in the literature.

Available Media

Strato: A Retargetable Framework for Low-Level Inlined-Reference Monitors

Bin Zeng and Gang Tan, Lehigh University; Úlfar Erlingsson, Google Inc.

Low-level Inlined Reference Monitors (IRM) such as control-flow integrity and software-based fault isolation can foil numerous software attacks. Conventionally, those IRMs are implemented through binary rewriting or transformation on equivalent low-level programs that are tightly coupled with a specific Instruction Set Architecture (ISA). Resulting implementations have poor retargetability to different ISAs. This paper introduces an IRM-implementation framework at a compiler intermediate-representation (IR) level. The IR-level framework enables easy retargetability to different ISAs, but raises the challenge of how to preserve security at the low level, as the compiler backend might invalidate the assumptions at the IR level. We propose a constraint language to encode the assumptions and check whether they still hold after the backend transformations and optimizations. Furthermore, an independent verifier is implemented to validate the security of low-level code. We have implemented the framework inside LLVM to enforce the policy of control-flow integrity and data sandboxing for both reads and writes. Experimental results demonstrate that it incurs modest runtime overhead of 19.90% and 25.34% on SPECint2000 programs for x86-32 and x86-64, respectively

Available Media

Invited Talk

Regency A

Confessions of a "Recovering" Data Broker: Responsible Innovation in the Age of Big Data, Big Brother, and the Coming Skynet Terminators

Jim Adler, VP of Products, Metanautix

It's been said that the human brain is comprised of 300 million pattern matchers fed with data from our five primary senses and memories. In this age of distributed computing and cheap storage in the cloud, "thinking" without a biological brain is possible for the first time in history. The sensory input into this new, extracorporeal brain is big data. Global data supply chains carry exabytes of government, corporate, and social data powering breakthrough uses in medicine, transportation, communications, and energy. However, equally fantastic is the specter of abuses by powerful players to exploit private information, subtly discriminate, or mistakenly prosecute the innocent.

It's been said that the human brain is comprised of 300 million pattern matchers fed with data from our five primary senses and memories. In this age of distributed computing and cheap storage in the cloud, "thinking" without a biological brain is possible for the first time in history. The sensory input into this new, extracorporeal brain is big data. Global data supply chains carry exabytes of government, corporate, and social data powering breakthrough uses in medicine, transportation, communications, and energy. However, equally fantastic is the specter of abuses by powerful players to exploit private information, subtly discriminate, or mistakenly prosecute the innocent. This talk will discuss the current state of these data supply chains, where they are headed, and the societal implications for privacy, security, and liberty.

Jim Adler is a business executive, entrepreneur, and thought leader on big data, privacy, security, and voting systems. He’s founded companies, defined vision and strategy, led teams, developed technology, and built products.

Most recently, Jim was Vice President, Data Systems, at inome and the first Chief Privacy Officer at Intelius. Jim led the big data team that powers the company’s products as well as serving as its chief consumer advocate.

Prior to inome and Intelius, Jim served as president and chief technology officer at Identity.net, an Internet company giving consumers control of their online identity and reputation. He was the founder and CEO of VoteHere, a pioneer in the development of private and secure electronic voting, both online and offline. He is a co-inventor of patents related to cryptographic voting and digital signatures.

Jim received his bachelor’s degree with high honors in electrical engineering from the University of Florida and his master’s degree in electrical and computer engineering from the University of California, San Diego.

Jim blogs about privacy, data, and leadership at jimadler.me. Follow him on Twitter @jim_adler.

Available Media
  • Read more about Confessions of a "Recovering" Data Broker: Responsible Innovation in the Age of Big Data, Big Brother, and the Coming Skynet Terminators
3:30 p.m.–4:00 p.m. Thursday

Break with Refreshments

Hall of Battles

4:00 p.m.–5:30 p.m. Thursday

Current and Future Systems Security

Regency BCD

Session Chair: Adrienne Porter Felt, Google

On the Security of Picture Gesture Authentication

Ziming Zhao and Gail-Joon Ahn, Arizona State University and GFS Technology, Inc.; Jeong-Jin Seo, Arizona State University; Hongxin Hu, Delaware State University

Computing devices with touch-screens have experienced unprecedented growth in recent years. Such an evolutionary advance has been facilitated by various applications that are heavily relying on multi-touch gestures. In addition, picture gesture authentication has been recently introduced as an alternative login experience to text-based password on such devices. In particular, the new Microsoft Windows 8TM operating system adopts such an alternative authentication to complement traditional text-based authentication. In this paper, we present an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from over 800 subjects through online user studies. Based on the findings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users’ password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings.

Available Media

Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization

Rui Wang, Microsoft Research Redmond; Yuchen Zhou, University of Virginia; Shuo Chen and Shaz Qadeer, Microsoft Research Redmond; David Evans, University of Virginia; Yuri Gurevich, Microsoft Research Redmond

Most modern applications are empowered by online services, so application developers frequently implement authentication and authorization. Major online providers, such as Facebook and Microsoft, provide SDKs for incorporating authentication services. This paper considers whether those SDKs enable typical developers to build secure apps. Our work focuses on systematically explicating implicit assumptions that are necessary for secure use of an SDK. Understanding these assumptions depends critically on not just the SDK itself, but on the underlying runtime systems. We present a systematic process for identifying critical implicit assumptions by building semantic models that capture both the logic of the SDK and the essential aspects of underlying systems. These semantic models provide the explicit basis for reasoning about the security of an SDK. We use a formal analysis tool, along with the semantic models, to reason about all applications that can be built using the SDK. In particular, we formally check whether the SDK, along with the explicitly captured assumptions, is sufficient to imply the desired security properties. We applied our approach to three widely used authentication/authorization SDKs. Our approach led to the discovery of several implicit assumptions in each SDK, including issues deemed serious enough to receive Facebook bug bounties and change the OAuth 2.0 specification. We verified that many apps constructed with these SDKs (indeed, the majority of apps in our study) are vulnerable to serious exploits because of these implicit assumptions, and we built a prototype testing tool that can detect several of the vulnerability patterns we identified.

Available Media

Enabling Fine-Grained Permissions for Augmented Reality Applications with Recognizers

Suman Jana, The University of Texas at Austin; David Molnar and Alexander Moshchuk, Microsoft; Alan Dunn, The University of Texas at Austin; Benjamin Livshits, Helen J. Wang, and Eyal Ofek, Microsoft Research

Augmented reality (AR) applications sense the environment, then render virtual objects on human senses. Examples include smartphone applications that annotate storefronts with reviews and XBox Kinect games that show "avatars" mimicking human movements. No current OS has special support for such applications. As a result, permissions for AR applications are necessarily coarse-grained: applications must ask for access to raw sensor feeds, such as video and audio. These raw feeds expose significant additional information beyond what applications need, including sensitive information such as the user’s location, face, or surroundings.

Instead of exposing raw sensor data to applications directly, we introduce a new OS abstraction: the recognizer. A recognizer takes raw sensor data as input and exposes higher-level objects, such as a skeleton or a face, to applications. We propose a fine-grained permission system where applications request permissions at the granularity of recognizer objects. We analyze 87 shipping AR applications and find that a set of four core recognizers covers almost all current apps. We also introduce privacy goggles, a visualization of sensitive data exposed to an application. Surveys of 962 people establish a clear "privacy ordering" over recognizers and demonstrate that privacy goggles are effective at communicating application capabilities. We build a prototype on Windows that exposes nine recognizers to applications, including the Kinect skeleton tracker. Our prototype incurs negligible overhead for single applications, while improving performance of concurrent applications and enabling secure offloading of heavyweight recognizer computation.

Available Media

Hardware and Embedded Security I

Regency A

Session Chair: Kevin Fu, University of Michigan

CacheAudit: A Tool for the Static Analysis of Cache Side Channels

Goran Doychev, IMDEA Software Institute; Dominik Feld, Saarland University; Boris Köpf and Laurent Mauborgne, IMDEA Software Institute; Jan Reineke, Saarland University

We present CacheAudit, a versatile framework for the automatic, static analysis of cache side channels. CacheAudit takes as input a program binary and a cache configuration, and it derives formal, quantitative security guarantees for a comprehensive set of side-channel adversaries, namely those based on observing cache states, traces of hits and misses, and execution times.

Our technical contributions include novel abstractions to efficiently compute precise overapproximations of the possible side-channel observations for each of these adversaries. These approximations then yield upper bounds on the information that is revealed. In case studies we apply CacheAudit to binary executables of algorithms for symmetric encryption and sorting, obtaining the first formal proofs of security for implementations with countermeasures such as preloading and data-independent memory access patterns.

Available Media

Transparent ROP Exploit Mitigation Using Indirect Branch Tracing

Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis, Columbia University

Return-oriented programming (ROP) has become the primary exploitation technique for system compromise in the presence of non-executable page protections. ROP exploits are facilitated mainly by the lack of complete address space randomization coverage or the presence of memory disclosure vulnerabilities, necessitating additional ROP-specific mitigations.

In this paper we present a practical runtime ROP exploit prevention technique for the protection of thirdparty applications. Our approach is based on the detection of abnormal control transfers that take place during ROP code execution. This is achieved using hardware features of commodity processors, which incur negligible runtime overhead and allow for completely transparent operation without requiring any modifications to the protected applications. Our implementation for Windows 7, named kBouncer, can be selectively enabled for installed programs in the same fashion as user-friendly mitigation toolkits likeMicrosoft’s EMET. The results of our evaluation demonstrate that kBouncer has low runtime overhead of up to 4%, when stressed with specially crafted workloads that continuously trigger its core detection component, while it has negligible overhead for actual user applications. In our experiments with in-the-wild ROP exploits, kBouncer successfully protected all tested applications, including Internet Explorer, Adobe Flash Player, and Adobe Reader.

Available Media

FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution

Drew Davidson, Benjamin Moench, Somesh Jha, and Thomas Ristenpart, University of Wisconsin—Madison

Embedded systems increasingly use software-driven low-power microprocessors for security-critical settings, surfacing a need for tools that can audit the security of the software (often called firmware) running on such devices. Despite the fact that firmware programs are often written in C, existing source-code analysis tools do not work well for this setting because of the specific architectural features of low-power platforms. We therefore design and implement a new tool, called FIE, that builds off the KLEE symbolic execution engine in order to provide an extensible platform for detecting bugs in firmware programs for the popular MSP430 family of microcontrollers. FIE incorporates new techniques for symbolic execution that enable it to verify security properties of the simple firmwares often found in practice. We demonstrate FIE’s utility by applying it to a corpus of 99 open-source firmware programs that altogether use 13 different models of the MSP430. We are able to verify memory safety for the majority of programs in this corpus and elsewhere discover 21 bugs.

Available Media
6:00 p.m.–7:30 p.m. Thursday

Poster Session and Happy Hour

Columbia ABC and Foyer

Would you like to share a provocative opinion, interesting preliminary work, or a cool idea that will spark discussion at this year’s USENIX ­Security Symposium? The poster session is the perfect venue to introduce such new or ongoing work. Poster presenters will have the entirety of the evening reception to discuss their work, get exposure, and receive feedback from attendees. Find out more here.

 

Friday, August 16, 2013

8:30 a.m.–9:00 a.m. Friday

Continental Breakfast

Hall of Battles

9:00 a.m.–10:30 a.m. Friday

Hardware and Embedded Security II

Regency BCD

Session Chair: Cynthia Sturton, University of California, Berkeley

Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base

Job Noorman, Pieter Agten, Wilfried Daniels, Raoul Strackx, Anthony Van Herrewege, Christophe Huygens, Bart Preneel, Ingrid Verbauwhede, and Frank Piessens, KU Leuven

In this paper we propose Sancus, a security architecture for networked embedded devices. Sancus supports extensibility in the form of remote (even third-party) software installation on devices while maintaining strong security guarantees. More specifically, Sancus can remotely attest to a software provider that a specific software module is running uncompromised, and can authenticate messages from software modules to software providers. Software modules can securely maintain local state, and can securely interact with other software modules that they choose to trust. The most distinguishing feature of Sancus is that it achieves these security guarantees without trusting any infrastructural software on the device. The Trusted Computing Base (TCB) on the device is only the hardware. Moreover, the hardware cost of Sancus is low.

We describe the design of Sancus, and develop and evaluate a prototype FPGA implementation of a Sancus-enabled device. The prototype extends an MSP430 processor with hardware support for the memory access control and cryptographic functionality required to run Sancus. We also develop a C compiler that targets our device and that can compile standard C modules to Sancus protected software modules.

Available Media

Securing Computer Hardware Using 3D Integrated Circuit (IC) Technology and Split Manufacturing for Obfuscation

Frank Imeson, Ariq Emtenan, Siddharth Garg, and Mahesh V. Tripunitara, University of Waterloo
Awarded Best Student Paper! 

The fabrication of digital Integrated Circuits (ICs) is increasingly outsourced. Given this trend, security is recognized as an important issue. The threat agent is an attacker at the IC foundry that has information about the circuit and inserts covert, malicious circuitry. The use of 3D IC technology has been suggested as a possible technique to counter this threat. However, to our knowledge, there is no prior work on how such technology can be used effectively. We propose a way to use 3D IC technology for security in this context. Specifically, we obfuscate the circuit by lifting wires to a trusted tier, which is fabricated separately. This is referred to as split manufacturing. For this setting, we provide a precise notion of security, that we call k-security, and a characterization of the underlying computational problems and their complexity. We further propose a concrete approach for identifying sets of wires to be lifted, and the corresponding security they provide. We conclude with a comprehensive empirical assessment with benchmark circuits that highlights the security versus cost trade-offs introduced by 3D IC based circuit obfuscation.

Available Media

KI-Mon: A Hardware-assisted Event-triggered Monitoring Platform for Mutable Kernel Object

Hojoon Lee, Korea Advanced Institute of Science and Technology (KAIST); HyunGon Moon, Seoul National University; DaeHee Jang and Kihwan Kim, Korea Advanced Institute of Science and Technology (KAIST); Jihoon Lee and Yunheung Paek, Seoul National University; Brent ByungHoon Kang, Korea Advanced Institute of Science and Technology (KAIST)

Kernel rootkits undermine the integrity of system by manipulating its operating system kernel. External hardware-based monitors can serve as a root of trust that is resilient to rootkit attacks. The existing external hardware-based approaches lack an event-triggered verification scheme for mutable kernel objects. To address the issue, we present KI-Mon, a hardware-based platform for event-triggered kernel integrity monitor. A refined form of bus traffic monitoring efficiently verifies the update values of the objects, and callback verification routines can be programmed and executed for a designated event space. We have built a KI-Mon prototype to demonstrate the efficacy of KI-Mon’s event-triggered mechanism in terms of performance overhead for the monitored host system and the processor usage of the KI-Mon processor.

Available Media

Invited Talk

Regency A

Security Team 2.0

Chris Evans, Google Chrome Security Team

The Chrome Security Team was founded in 2009 and has adopted a different approach and structure to traditional security teams. We hypothesize that some of Chrome Security's successes can be directly attributed to the unconventional approach. We will freely share details in the hope that progressive organizations will be interested in adopting some of the same tactics.

The Chrome Security Team was founded in 2009 and has adopted a different approach and structure to traditional security teams. We hypothesize that some of Chrome Security's successes can be directly attributed to the unconventional approach. We will freely share details in the hope that progressive organizations will be interested in adopting some of the same tactics.

Chris Evans founded and built the Chrome Security Team, starting in 2009. He has enjoyed involving the wider security community through the Chromium Vulnerability Reward Program and Pwnium initiatives, as well as defending the Internet against the DigiNotar Certificate Authority compromise. As time permits, Chris is a vulnerability researcher, speaking at various worldwide conferences and serving on talk and paper selection panels. Chris also enjoys contributing to open source and security design best practises, being the author of vsftpd and it's "privsep" concept.

Available Media
  • Read more about Security Team 2.0
10:30 a.m.–11:00 a.m. Friday

Break with Refreshments

Hall of Battles

11:00 a.m.–12:30 p.m. Friday

Mobile Security II

Regency BCD

Session Chair: Shuo Chen, Microsoft Research

WHYPER: Towards Automating Risk Assessment of Mobile Applications

Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie, North Carolina State University

Application markets such as Apple’s App Store and Google’s Play Store have played an important role in the popularity of smartphones and mobile devices. However, keeping malware out of application markets is an ongoing challenge. While recent work has developed various techniques to determine what applications do, no work has provided a technical approach to answer, what do users expect? In this paper, we present the first step in addressing this challenge. Specifically, we focus on permissions for a given application and examine whether the application description provides any indication for why the application needs a permission. We present WHYPER, a framework using Natural Language Processing (NLP) techniques to identify sentences that describe the need for a given permission in an application description. WHYPER achieves an average precision of 82.8%, and an average recall of 81.5% for three permissions (address book, calendar, and record audio) that protect frequently used security and privacy sensitive resources. These results demonstrate great promise in using NLP techniques to bridge the semantic gap between user expectations and application functionality, further aiding the risk assessment of mobile applications.

Available Media

Effective Inter-Component Communication Mapping in Android: An Essential Step Towards Holistic Security Analysis

Damien Octeau and Patrick McDaniel, Pennsylvania State University; Somesh Jha, University of Wisconsin—Madison; Alexandre Bartel, University of Luxembourg; Eric Bodden, Technische Universität Darmstadt; Jacques Klein and Yves Le Traon, University of Luxembourg

Many threats present in smartphones are the result of interactions between application components, not just artifacts of single components. However, current techniques for identifying inter-application communication are ad hoc and do not scale to large numbers of applications. In this paper, we reduce the discovery of inter-component communication (ICC) in smartphones to an instance of the Interprocedural Distributive Environment (IDE) problem, and develop a sound static analysis technique targeted to the Android platform. We apply this analysis to 1,200 applications selected from the Play store and characterize the locations and substance of their ICC. Experiments show that full specifications for ICC can be identified for over 93% of ICC locations for the applications studied. Further the analysis scales well; analysis of each application took on average 113 seconds to complete. Epicc, the resulting tool, finds ICC vulnerabilities with far fewer false positives than the next best tool. In this way, we develop a scalable vehicle to extend current security analysis to entire collections of applications as well as the interfaces they export.

Available Media

Jekyll on iOS: When Benign Apps Become Evil

Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee, Georgia Institute of Technology

Apple adopts the mandatory app review and code signing mechanisms to ensure that only approved apps can run on iOS devices. In this paper, we present a novel attack method that fundamentally defeats both mechanisms. Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process. Once the app passes the review and is installed on an end user’s device, it can be instructed to carry out the intended attacks.

The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.

We implemented a proof-of-concept Jekyll app and successfully published it in App Store. We remotely launched the attacks on a controlled group of devices that installed the app. The result shows that, despite running inside the iOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.

Note: Updated version contains the corrected acknowledgements

Available Media

Large Scale Systems Security III

Regency A

Session Chair: Micah Sherr, Georgetown University

Measuring the Practical Impact of DNSSEC Deployment

Wilson Lian, University of California, San Diego; Eric Rescorla, RTFM, Inc.; Hovav Shacham and Stefan Savage, University of California, San Diego

DNSSEC extends DNS with a public-key infrastructure, providing compatible clients with cryptographic assurance for DNS records they obtain, even in the presence of an active network attacker. As with many Internet protocol deployments, administrators deciding whether to deploy DNSSEC for their DNS zones must perform cost/benefit analysis. For some fraction of clients—those that perform DNSSEC validation—the zone will be protected from malicious hijacking. But another fraction of clients—those whose DNS resolvers are buggy and incompatible with DNSSEC—will no longer be able to connect to the zone. Deploying DNSSEC requires making a cost-benefit decision, balancing security for some users with denial of service for others.

We have performed a large-scale measurement of the effects of DNSSEC on client name resolution using an ad network to collect results from over 500,000 geographically-distributed clients. Our findings corroborate those of previous researchers in showing that a relatively small fraction of users are protected by DNSSEC-validating resolvers. And we show, for the first time, that enabling DNSSEC measurably increases end-to-end resolution failures. For every 10 clients that are protected from DNS tampering when a domain deploys DNSSEC, approximately one ordinary client (primarily in Asia) becomes unable to access the domain.

Available Media

ExecScent: Mining for New C&C Domains in Live Networks with Adaptive Control Protocol Templates

Terry Nelms, Damballa, Inc. and Georgia Institute of Technology; Roberto Perdisci, University of Georgia and Georgia Institute of Technology; Mustaque Ahamad, Georgia Institute of Technology and New York University Abu Dhabi

In this paper, we present ExecScent, a novel system that aims to mine new, previously unknown C&C domain names from live enterprise network traffic. ExecScent automatically learns control protocol templates (CPTs) from examples of known C&C communications. These CPTs are then adapted to the “background traffic” of the network where the templates are to be deployed. The goal is to generate hybrid templates that can self-tune to each specific deployment scenario, thus yielding a better trade-off between true and false positives for a given network environment. To the best of our knowledge, ExecScent is the first system to use this type of adaptive C&C traffic models.

We implemented a prototype version of ExecScent, and deployed it in three different large networks for a period of two weeks. During the deployment, we discovered many new, previously unknown C&C domains and hundreds of new infected machines, compared to using a large up-to-date commercial C&C domain blacklist. Furthermore, we deployed the new C&C domains mined by ExecScent to six large ISP networks, discovering more than 25,000 new infected machines.

Available Media

ZMap: Fast Internet-wide Scanning and Its Security Applications

Zakir Durumeric, Eric Wustrow, and J. Alex Halderman, University of Michigan

Internet-wide network scanning has numerous security applications, including exposing new vulnerabilities and tracking the adoption of defensive mechanisms, but probing the entire public address space with existing tools is both difficult and slow. We introduce ZMap, a modular, open-source network scanner specifically architected to perform Internet-wide scans and capable of surveying the entire IPv4 address space in under 45 minutes from user space on a single machine, approaching the theoretical maximum speed of gigabit Ethernet. We present the scanner architecture, experimentally characterize its performance and accuracy, and explore the security implications of high speed Internet-scale network surveys, both offensive and defensive. We also discuss best practices for good Internet citizenship when performing Internet-wide surveys, informed by our own experiences conducting a long-term research survey over the past year.

Available Media
12:30 p.m.–2:00 p.m. Friday

Lunch, on your own

2:00 pm.–3:30 p.m. Friday

Web Security

Regency BCD

Session Chair: Elaine Shi, University of Maryland, College Park

Eradicating DNS Rebinding with the Extended Same-origin Policy

Martin Johns and Sebastian Lekies, SAP Research; Ben Stock, Friedrich-Alexander-Universität Erlangen-Nürnberg

The Web’s principal security policy is the Same-Origin Policy (SOP), which enforces origin-based isolation of mutually distrusting Web applications. Since the early days, the SOP was repeatedly undermined with variants of the DNS Rebinding attack, allowing untrusted script code to gain illegitimate access to protected network resources. To counter these attacks, the browser vendors introduced countermeasures, such as DNS Pinning, to mitigate the attack. In this paper, we present a novel DNS Rebinding attack method leveraging the HTML5 Application Cache. Our attack allows reliable DNS Rebinding attacks, circumventing all currently deployed browser-based defense measures. Furthermore, we analyze the fundamental problem which allows DNS Rebinding to work in the first place: The SOP’s main purpose is to ensure security boundaries of Web servers. However, the Web servers themselves are only indirectly involved in the corresponding security decision. Instead, the SOP relies on information obtained from the domain name system, which is not necessarily controlled by the Web server’s owners. This mismatch is exploited by DNS Rebinding. Based on this insight, we propose a light-weight extension to the SOP which takes Web server provided information into account. We successfully implemented our extended SOP for the Chromium Web browser and report on our implementation’s interoperability and security properties.

Available Media

Revolver: An Automated Approach to the Detection of Evasive Web-based Malware

Alexandros Kapravelos and Yan Shoshitaishvili, University of California, Santa Barbara; Marco Cova, University of Birmingham; Christopher Kruegel and Giovanni Vigna, University of California, Santa Barbara

In recent years, attacks targeting web browsers and their plugins have become a prevalent threat. Attackers deploy web pages that contain exploit code, typically written in HTML and JavaScript, and use them to compromise unsuspecting victims. Initially, static techniques, such as signature-based detection, were adequate to identify such attacks. The response from the attackers was to heavily obfuscate the attack code, rendering static techniques insufficient. This led to dynamic analysis systems that execute the JavaScript code included in web pages in order to expose malicious behavior. However, today we are facing a new reaction from the attackers: evasions. The latest attacks found in the wild incorporate code that detects the presence of dynamic analysis systems and try to avoid analysis and/or detection.

In this paper, we present Revolver, a novel approach to automatically detect evasive behavior in malicious JavaScript. Revolver uses efficient techniques to identify similarities between a large number of JavaScript programs (despite their use of obfuscation techniques, such as packing, polymorphism, and dynamic code generation), and to automatically interpret their differences to detect evasions. More precisely, Revolver leverages the observation that two scripts that are similar should be classified in the same way by web malware detectors (either both scripts are malicious or both scripts are benign); differences in the classification may indicate that one of the two scripts contains code designed to evade a detector tool.

Using large-scale experiments, we show that Revolver is effective at automatically detecting evasion attempts in JavaScript, and its integration with existing web malware analysis systems can support the continuous improvement of detection techniques.

Available Media

Language-based Defenses Against Untrusted Browser Origins

Karthikeyan Bhargavan and Antoine Delignat-Lavaud, INRIA Paris-Rocquencourt; Sergio Maffeis, Imperial College London

We present new attacks and robust countermeasures for security-sensitive components, such as single sign-on APIs and client-side cryptographic libraries, that need to be safely deployed on untrusted web pages. We show how failing to isolate such components leaves them vulnerable to attacks both from the hosting website and other components running on the same page. These attacks are not prevented by browser security mechanisms alone, because they are caused by code interacting within the same origin. To mitigate these attacks, we propose to combine fine-grained component isolation at the JavaScript level with cryptographic mechanisms. We present Defensive JavaScript (DJS), a subset of the language that guarantees the behavior integrity of scripts even when loaded in a hostile environment. We give a sound type system, type inference tool, and build defensive libraries for cryptography and data encodings. We show the effectiveness of our solution by implementing several applications using defensive patterns that fix some of our original attacks. We present a model extraction tool to analyze the security properties of our applications using a cryptographic protocol verifier.

Available Media

Invited Talk

Regency A

Building Securable Infrastructure: Open-Source Private Clouds

Pravir Chandra, CTO Security Architect, Bloomberg

Using an open-sourced stack from bottom to top, this presentation will discuss the practical challenges alongside the security opportunities of standing up a private cloud infrastructure. Looking beyond the obvious upside of programmatically definable systems, private clouds present a new platform for security controls that are generally unattainable in traditional infrastructure models. Building on this concept, this talk will present a few interesting security ideas that are currently under development and some that could be the subject of future research.

Using an open-sourced stack from bottom to top, this presentation will discuss the practical challenges alongside the security opportunities of standing up a private cloud infrastructure. Looking beyond the obvious upside of programmatically definable systems, private clouds present a new platform for security controls that are generally unattainable in traditional infrastructure models. Building on this concept, this talk will present a few interesting security ideas that are currently under development and some that could be the subject of future research.

Pravir Chandra is a veteran in the security space. Currently as CTO Security Architect of Bloomberg, he drives proactive security initiatives that demonstrate concrete value for the firm. Prior to this, Pravir was Director of Strategic Services at HP/Fortify where he led software security assurance programs for Fortune 500 clients in a variety of verticals. As lead designer and author of the Open Software Assurance Maturity Model (OpenSAMM), he is responsible for standing up the most comprehensive and measurably effective programs in existence today. Pravir has written many articles, white papers, and books and is routinely invited to speak at businesses and conferences worldwide.

Available Media
  • Read more about Building Securable Infrastructure: Open-Source Private Clouds
3:30 p.m.–4:00 p.m. Friday

Break with Refreshments

Hall of Battles

4:00 p.m.–5:30 p.m. Friday

Invited Talk

Regency BCD

Tracking the Casino Computer Wars: Who’s Winning—the Casino or the Cheat?

Richard Marcus, Casino Cheating and Fraud Consultant; Author of American Roulette, The Great Casino Heist, Dirty Poker, World’s Greatest Gambling Scams, andIdentity Theft, Incorporated

The talk will open with an entertaining demonstration of what is widely considered the best casino-cheating move ever that made millions and fooled state-of-the-art video surveillance technology only because the move was so simple-stupid. Marcus will move on to cover how modern-day casino cheats use computers to scam tables and how casinos battle back with their own. He will discuss roulette computers, RFID technology, hacking into online gaming, and hacking into land casinos’ security systems.

The talk will open with an entertaining demonstration of what is widely considered the best casino-cheating move ever that made millions and fooled state-of-the-art video surveillance technology only because the move was so simple-stupid. Marcus will move on to cover how modern-day casino cheats use computers to scam tables and how casinos battle back with their own. He will discuss roulette computers, RFID technology, hacking into online gaming, and hacking into land casinos’ security systems.

For 25 years, Richard Marcus directed sophisticated casino-cheating teams across the entire world. He developed and carried out a series of cheating moves that not only fooled surveillance video cameras but also turned them into his allies. Today Marcus serves as an international casino game-protection consultant training casino floor and surveillance personnel. He has published five books and written dozens of magazine articles on the subject, and has been a guest on several network TV news and entertainment shows including NBC Today and Entertainment Tonight. 

Available Media
  • Read more about Tracking the Casino Computer Wars: Who’s Winning—the Casino or the Cheat?

Attacks

Regency A

Session Chair: Thorsten Holz, Ruhr-Universität Bochum

Take This Personally: Pollution Attacks on Personalized Services

Xinyu Xing, Wei Meng, and Dan Doozan, Georgia Institute of Technology; Alex C. Snoeren, University of California, San Diego; Nick Feamster and Wenke Lee, Georgia Institute of Technology

Modern Web services routinely personalize content to appeal to the specific interests, viewpoints, and contexts of individual users. Ideally, personalization allows sites to highlight information uniquely relevant to each of their users, thereby increasing user satisfaction—and, eventually, the service’s bottom line. Unfortunately, as we demonstrate in this paper, the personalization mechanisms currently employed by popular services have not been hardened against attack. We show that third parties can manipulate them to increase the visibility of arbitrary content—whether it be a new YouTube video, an unpopular product on Amazon, or a low-ranking website in Google search returns. In particular, we demonstrate that attackers can inject information into users’ profiles on these services, thereby perturbing the results of the services’ personalization algorithms. While the details of our exploits are tailored to each service, the general approach is likely to apply quite broadly. By demonstrating the attack against three popular Web services, we highlight a new class of vulnerability that allows an attacker to affect a user’s experience with a service, unbeknownst to the user or the service provider.

Available Media

Steal This Movie: Automatically Bypassing DRM Protection in Streaming Media Services

Ruoyu Wang, University of California, Santa Barbara, and Tsinghua University; Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna, University of California, Santa Barbara

Streaming movies online is quickly becoming the way in which users access video entertainment. This has been powered by the ubiquitous presence of the Internet and the availability of a number of hardware platforms that make access to movies convenient. Often, video-on-demand services use a digital rights management system to prevent the user from duplicating videos because much of the economic model of video stream services relies on the fact that the videos cannot easily be saved to permanent storage and (illegally) shared with other customers. In this paper, we introduce a general memory-based approach that circumvents the protections deployed by popular video-on-demand providers. We apply our approach to four different examples of streaming services: Amazon Instant Video, Hulu, Spotify, and Netflix and we demonstrate that, by using our technique, it is possible to break DRM protection in a semi-automated way.

Available Media

Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer

Presentation Only
Speaker: Roel Verdult, Radboud University Nijmegen
Authors: Roel Verdult, Radboud University Nijmegen; Flavio D. Garcia, University of Birmingham; Baris Ege, Radboud University Nijmegen

Update: This paper was presented at the 24th USENIX Security Symposium on August 12, 2015.

Due to a recent injunction by the High Court of London this talk cannot cover the technical core of the accepted paper. Instead, it will describe the background and context of the work we did on vehicle immobilizer systems. It puts our study in a broader spectrum of related work that is available in the academic literature. Furthermore, it mentions several alternative immobilizer systems that were introduced years ago by academia and industry which use openly designed and well-studied encryption algorithms like the Advanced Encryption Standard (AES).

Available Media

Silver Sponsors

Bronze Sponsors

Media Sponsors & Industry Partners

© USENIX

  • Privacy Policy
  • Contact Us