Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Home
  • Attend
    • Venue, Hotel, and Travel
    • Students and Grants
    • Co-Located Workshops
  • Program
    • At a Glance
    • Technical Sessions
    • Poster Session
  • Activities
    • Birds-of-a-Feather Sessions
    • Poster Session
    • WiPs
  • Participate
    • Call for Papers
      • Important Dates
      • Symposium Organizers
      • Symposium Topics
      • Refereed Papers
      • Shadow PC
      • Symposium Activities
      • Submitting Papers
    • Instructions for Participants
  • Sponsorship
  • About
    • Symposium Organizers
    • Services
    • Questions
    • Help Promote!
    • Past Symposia
  • Home
  • Attend
    • Venue, Hotel, and Travel
    • Students and Grants
    • Co-Located Workshops
  • Program
    • At a Glance
    • Technical Sessions
    • Poster Session
  • Activities
  • Participate
    • Call for Papers
    • Instructions for Participants
  • Sponsorship
  • About
    • Symposium Organizers
    • Services
    • Questions
    • Help Promote!
    • Past Symposia

sponsors

Platinum Sponsor
Gold Sponsor
Gold Sponsor
Silver Sponsor
Silver Sponsor
Silver Sponsor
Bronze Sponsor
Bronze Sponsor
General Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Industry Partner
Industry Partner

help promote

USENIX Security '16 button

Get more
Help Promote graphics!

connect with usenix


  •  Twitter
  •  Facebook
  •  LinkedIn
  •  Google+
  •  YouTube

twitter

Tweets by USENIXSecurity

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » Program » Technical Sessions
Tweet

connect with us

Technical Sessions

The full Proceedings published by USENIX for the conference are available for download below. Individual papers can also be downloaded from the presentation page. Copyright to the individual works is retained by the author[s].

Proceedings Front Matter 
Proceedings Cover | Title Page and List of Organizers | Table of Contents | Message from the Program Chair

Full Proceedings PDFs
 USENIX Security '15 Full Proceedings (PDF)
 USENIX Security '15 Proceedings Interior (PDF, best for mobile devices)
 USENIX Security '15 Errata Slip (PDF)
 Supplement to the Proceedings of the 22nd USENIX Security Symposium (PDF)

Full Proceedings ePub (for iPad and most eReaders)
 USENIX Security '15 Full Proceedings (ePub)

Full Proceedings Mobi (for Kindle)
 USENIX Security '15 Full Proceedings (Mobi)

Downloads for Registered Conference Attendees

Attendee Files 

(Registered attendees: Sign in to your USENIX account to download these files.)

USENIX Security '15 Proceedings Archive (7z)
USENIX Security '15 Attendee List (PDF)

 

All sessions will take place at the Hyatt Regency Washington on Capitol Hill.

Wednesday, August 12, 2015

7:30 am–8:10 am Wednesday

Continental Breakfast

Hall of Battles

8:10 am–8:30 am Wednesday

Lightning Talks for the One-Track Mind

Regency Ballroom

Building upon the success of the last year, we begin each day with a lightning talks session, offering a 60-second preview of the papers to be presented on the day. For authors, it’s an opportunity to provide more reasons why people should come to your talk. For attendees, it’s an opportunity to hear an elevator pitch for the papers you will have to miss today.

8:30 am–9:00 am Wednesday

Opening Remarks and Awards

Program Chair: Jaeyeon Jung, Microsoft Research

Regency Ballroom

9:00 am–10:30 am Wednesday

Keynote Address

Regency Ballroom

Inherent Cyber Insecurity and Our National Security: Surviving on a Diet of Poisoned Fruit

9:00 am-10:30 am

Dr. Richard J. Danzig, former Secretary of the Navy and consultant to U.S. Intelligence and Defense Agencies, and member of the Defense Policy Board, the President’s Intelligence Advisory Board, and the Homeland Security Secretary’s Advisory Council

Richard Danzig is a member of the Defense Policy Board, The President’s Intelligence Advisory Board, and the Homeland Security Secretary’s Advisory Council, a Trustee of Reed College and of the RAND Corporation, a Director of the Center for a New American Security and a Director of Saffron Hill Ventures (a European investment firm). In recent time he has been a director of National Semiconductor Corporation (NY Stock Exchange) and Human Genome Sciences Corporation (NASDAQ). He has also served as The Chairman of the Board of The Center for a New American Security, Vice Chair of RAND, and Chairman of the Board of the Center for Strategic and Budgetary Assessments.

Cyber systems are a security paradox. Even as they grant unprecedented powers, they also make users less secure. They nourish us, but at the same time they weaken and poison us. This talk aims to illuminate causes of this insecurity, reasons it is ineradicable, and policy consequences that should flow from this perception. It aims particularly to connect insight into digital technologies with recommendations for new approaches to enhance American national security.

Cyber systems are a security paradox. Even as they grant unprecedented powers, they also make users less secure. They nourish us, but at the same time they weaken and poison us. This talk aims to illuminate causes of this insecurity, reasons it is ineradicable, and policy consequences that should flow from this perception. It aims particularly to connect insight into digital technologies with recommendations for new approaches to enhance American national security.

Richard Danzig is a member of the Defense Policy Board, The President’s Intelligence Advisory Board, and the Homeland Security Secretary’s Advisory Council, a Trustee of Reed College and of the RAND Corporation, a Director of the Center for a New American Security and a Director of Saffron Hill Ventures (a European investment firm). In recent time he has been a director of National Semiconductor Corporation (NY Stock Exchange) and Human Genome Sciences Corporation (NASDAQ). He has also served as The Chairman of the Board of The Center for a New American Security, Vice Chair of RAND, and Chairman of the Board of the Center for Strategic and Budgetary Assessments.

Available Media

  • Read more about Inherent Cyber Insecurity and Our National Security: Surviving on a Diet of Poisoned Fruit
10:30 am–11:00 am Wednesday

Break with Refreshments

Hall of Battles

11:00 am–12:30 pm Wednesday

Measurement: We Didn't Start the Fire

Refereed Papers I
Regency A

Session Chair: Damon McCoy, New York University

Post-Mortem of a Zombie: Conficker Cleanup After Six Years

Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology

Research on botnet mitigation has focused predominantly on methods to technically disrupt the commandand- control infrastructure. Much less is known about the effectiveness of large-scale efforts to clean up infected machines. We analyze longitudinal data from the sinkhole of Conficker, one the largest botnets ever seen, to assess the impact of what has been emerging as a best practice: national anti-botnet initiatives that support largescale cleanup of end user machines. It has been six years since the Conficker botnet was sinkholed. The attackers have abandoned it. Still, nearly a million machines remain infected. Conficker provides us with a unique opportunity to estimate cleanup rates, because there are relatively few interfering factors at work. This paper is the first to propose a systematic approach to transform noisy sinkhole data into comparative infection metrics and normalized estimates of cleanup rates. We compare the growth, peak, and decay of Conficker across countries. We find that institutional differences, such as ICT development or unlicensed software use, explain much of the variance, while the national anti-botnet centers have had no visible impact. Cleanup seems even slower than the replacement of machines running Windows XP. In general, the infected users appear outside the reach of current remediation practices. Some ISPs may have judged the neutralized botnet an insufficient threat to merit remediation. These machines can however be magnets for other threats — we find an overlap between GameoverZeus and Conficker infections. We conclude by reflecting on what this means for the future of botnet mitigation.

Available Media

Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World

Bradley Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, and Kevin R.B. Butler, University of Florida

Mobile money, also known as branchless banking, brings much-needed financial services to the unbanked in the developing world. Leveraging ubiquitous cellular networks, these services are now being deployed as smart phone apps, providing an electronic payment infrastructure where alternatives such as credit cards generally do not exist. Although widely marketed as a more secure option to cash, these applications are often not subject to the traditional regulations applied in the financial sector, leaving doubt as to the veracity of such claims. In this paper, we evaluate these claims and perform the first in-depth measurement analysis of branchless banking applications. We first perform an automated analysis of all 46 known Android mobile money apps across the 246 known mobile money providers and demonstrate that automated analysis fails to provide reliable insights. We subsequently perform comprehensive manual teardown of the registration, login, and transaction procedures of a diverse 15% of these apps. We uncover pervasive and systemic vulnerabilities spanning botched certification validation, do-it-yourself cryptography, and myriad other forms of information leakage that allow an attacker to impersonate legitimate users, modify transactions in flight, and steal financial records. These findings confirm that the majority of these apps fail to provide the protections needed by financial services. Finally, through inspection of providers’ terms of service, we also discover that liability for these problems unfairly rests on the shoulders of the customer, threatening to erode trust in branchless banking and hinder efforts for global financial inclusion.

Available Media

Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem

Kyle Soska and Nicolas Christin, Carnegie Mellon University

February 2011 saw the emergence of Silk Road, the first successful online anonymous marketplace, in which buyers and sellers could transact with anonymity properties far superior to those available in alternative online or offline means of commerce. Business on Silk Road, primarily involving narcotics trafficking, rapidly boomed, and competitors emerged. At the same time, law enforcement did not sit idle, and eventually managed to shut down Silk Road in October 2013 and arrest its operator. Far from causing the demise of this novel form of commerce, the Silk Road take-down spawned an entire, dynamic, online anonymous marketplace ecosystem, which has continued to evolve to this day. This paper presents a long-term measurement analysis of a large portion of this online anonymous marketplace ecosystem, including 16 different marketplaces, over more than two years (2013– 2015). By using long-term measurements, and combining our own data collection with publicly available previous efforts, we offer a detailed understanding of the growth of the online anonymous marketplace ecosystem. We are able to document the evolution of the types of goods being sold, and assess the effect (or lack thereof) of adversarial events, such as law enforcement operations or large-scale frauds, on the overall size of the economy. We also provide insights into how vendors are diversifying and replicating across marketplaces, and how vendor security practices (e.g., PGP adoption) are evolving. These different aspects help us understand how traditional, physical-world criminal activities are developing an online presence, in the same manner traditional commerce diversified online in the 1990s.

Available Media

Now You're Just Something That I Used to Code

Refereed Papers II
Regency BCD

Session Chair: David Wagner, University of California, Berkeley

Under-Constrained Symbolic Execution: Correctness Checking for Real Code

David A. Ramos and Dawson Engler, Stanford University
Awarded Best Paper!

Software bugs are a well-known source of security vulnerabilities. One technique for finding bugs, symbolic execution, considers all possible inputs to a program but suffers from scalability limitations. This paper uses a variant, under-constrained symbolic execution, that improves scalability by directly checking individual functions, rather than whole programs. We present UC-KLEE, a novel, scalable framework for checking C/C++ systems code, along with two use cases. First, we use UC-KLEE to check whether patches introduce crashes. We check over 800 patches from BIND and OpenSSL and find 12 bugs, including two OpenSSL denial-of-service vulnerabilities. We also verify (with caveats) that 115 patches do not introduce crashes. Second, we use UC-KLEE as a generalized checking framework and implement checkers to find memory leaks, uninitialized data, and unsafe user input. We evaluate the checkers on over 20,000 functions from BIND, OpenSSL, and the Linux kernel, find 67 bugs, and verify that hundreds of functions are leak free and that thousands of functions do not access uninitialized data.

Available Media

TaintPipe: Pipelined Symbolic Taint Analysis

Jiang Ming, Dinghao Wu, Gaoyao Xiao, Jun Wang, and Peng Liu, The Pennsylvania State University

Taint analysis has a wide variety of compelling applications in security tasks, from software attack detection to data lifetime analysis. Static taint analysis propagates taint values following all possible paths with no need for concrete execution, but is generally less accurate than dynamic analysis. Unfortunately, the high performance penalty incurred by dynamic taint analyses makes its deployment impractical in production systems. To ameliorate this performance bottleneck, recent research efforts aim to decouple data flow tracking logic from program execution. We continue this line of research in this paper and propose pipelined symbolic taint analysis, a novel technique for parallelizing and pipelining taint analysis to take advantage of ubiquitous multi-core platforms. We have developed a prototype system called TaintPipe. TaintPipe performs very lightweight runtime logging to produce compact control flow profiles, and spawns multiple threads as different stages of a pipeline to carry out symbolic taint analysis in parallel. Our experiments show that TaintPipe imposes low overhead on application runtime performance and accelerates taint analysis significantly. Compared to a state-of-the-art inlined dynamic data flow tracking tool, TaintPipe achieves 2:38 times speedup for taint analysis on SPEC 2006 and 2:43 times for a set of common utilities, respectively. In addition, we demonstrate the strength of TaintPipe such as natural support of multi-tag taint analysis with several security applications.

Available Media

Type Casting Verification: Stopping an Emerging Attack Vector

Byoungyoung Lee, Chengyu Song, Taesoo Kim, and Wenke Lee, Georgia Institute of Technology

Facebook Internet Defense Prize Winner!

Many applications such as the Chrome and Firefox browsers are largely implemented in C++ for its performance and modularity. Type casting, which converts one type of an object to another, plays an essential role in enabling polymorphism in C++ because it allows a program to utilize certain general or specific implementations in the class hierarchies. However, if not correctly used, it may return unsafe and incorrectly casted values, leading to so-called bad-casting or type-confusion vulnerabilities. Since a bad-casted pointer violates a programmer’s intended pointer semantics and enables an attacker to corrupt memory, bad-casting has critical security implications similar to those of other memory corruption vulnerabilities. Despite the increasing number of bad-casting vulnerabilities, the bad-casting detection problem has not been addressed by the security community.

In this paper, we present CAVER, a runtime bad-casting detection tool. It performs program instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically. In particular, CAVER can be easily and automatically adopted to target applications, achieves broader detection coverage, and incurs reasonable runtime overhead. We have applied CAVER to largescale software including Chrome and Firefox browsers, and discovered 11 previously unknown security vulnerabilities: nine in GNU libstdc++ and two in Firefox, all of which have been confirmed and subsequently fixed by vendors. Our evaluation showed that CAVER imposes up to 7.6% and 64.6% overhead for performance-intensive benchmarks on the Chromium and Firefox browsers, respectively.

Available Media

Invited Talk

Lexington/Bunker Hill

 

Machine vs. Machine: Lessons from the First Year of Cyber Grand Challenge

11:00 am-12:30 pm

Mike Walker, DARPA

In 2014 DARPA launched the Cyber Grand Challenge: a competition that seeks to create automatic defensive systems capable of reasoning about flaws, formulating patches and deploying them on a network in real time. By acting at machine speed and scale, these technologies may someday overturn today’s attacker-dominated status quo. Just as the first autonomous ground vehicles fielded during DARPA’s 2004 Grand Challenge were not initially ready to take to the highways, the first generation of automated network defense systems will not be able to meaningfully compete against expert analysts or defend production networks. The Cyber Grand Challenge aims to give these groundbreaking prototypes a league of their own, allowing them to compete head-to-head to defend a network of bespoke software.

In 2014 DARPA launched the Cyber Grand Challenge: a competition that seeks to create automatic defensive systems capable of reasoning about flaws, formulating patches and deploying them on a network in real time. By acting at machine speed and scale, these technologies may someday overturn today’s attacker-dominated status quo. Just as the first autonomous ground vehicles fielded during DARPA’s 2004 Grand Challenge were not initially ready to take to the highways, the first generation of automated network defense systems will not be able to meaningfully compete against expert analysts or defend production networks. The Cyber Grand Challenge aims to give these groundbreaking prototypes a league of their own, allowing them to compete head-to-head to defend a network of bespoke software.

In this talk, I will describe the experimental setup, measurement, and results of the qualifying year of the DARPA Cyber Grand Challenge. I will cover in depth the DECREE platform, which was developed specifically for the first automated CTF competition, focusing on the experiments it enables, its relevance towards funded research in the computer security domain, and its accessibility to program analysis. On June 3rd, 2015, a 24-hour qualifying event will measure CGC systems in competition and help to select up to seven finalists. I will provide a statistical analysis of the results of the CGC qualifying round, including the visualization of successful automated defensive techniques, successes, failures, rates of efficacy, and other findings backed by post-event reverse engineering. Finally, I will close the talk with some initial thoughts regarding experimentation in the domain of adversarial automation.

Mike Walker joined DARPA as a program manager in January 2013. His research interests include machine reasoning about software in situ and the automation of application security lifecycles. Prior to joining DARPA, Mr. Walker worked in industry as a security software developer, Red Team analyst, enterprise security architect and research lab leader. As part of the Computer Science Corporation "Strikeforce” Red Team, Mr. Walker helped develop the HEAT Vulnerability Scanner and performed Red Team engagements. Serving as a principal at the Intrepidus Group, Mr. Walker worked on Red Teams that tested America's financial and energy infrastructure for security weaknesses. Also, on the DARPA SAFER Red Team, Mr. Walker discovered flaws in prototype communications technologies. Mr. Walker has participated in various roles in numerous applied computer security competitions. He contributed challenges to DEF CON Capture the Flag (CTF) and competed on and helped lead CTF teams at the highest levels of international competition. Mr. Walker was formerly a mentor of the Computer Security Competition Club at Thomas Jefferson High School for Science and Technology (TJHSST).

Available Media

  • Read more about Machine vs. Machine: Lessons from the First Year of Cyber Grand Challenge
12:30 pm–2:00 pm Wednesday

Lunch (on your own)

2:00 pm–3:30 pm Wednesday

Tic-Attack-Toe

Refereed Papers I
Regency A

Session Chair: Nadia Heninger, University of Pennsylvania

All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS

Mathy Vanhoef and Frank Piessens, Katholieke Universiteit Leuven
Awarded Best Student Paper!

We present new biases in RC4, break the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP), and design a practical plaintext recovery attack against the Transport Layer Security (TLS) protocol. To empirically find new biases in the RC4 keystream we use statistical hypothesis tests. This reveals many new biases in the initial keystream bytes, as well as several new longterm biases. Our fixed-plaintext recovery algorithms are capable of using multiple types of biases, and return a list of plaintext candidates in decreasing likelihood. To break WPA-TKIP we introduce a method to generate a large number of identical packets. This packet is decrypted by generating its plaintext candidate list, and using redundant packet structure to prune bad candidates. From the decrypted packet we derive the TKIP MIC key, which can be used to inject and decrypt packets. In practice the attack can be executed within an hour. We also attack TLS as used by HTTPS, where we show how to decrypt a secure cookie with a success rate of 94% using 9•227 ciphertexts. This is done by injecting known data around the cookie, abusing this using Mantin’s ABSAB bias, and brute-forcing the cookie by traversing the plaintext candidates. Using our traffic generation technique, we are able to execute the attack in merely 75 hours.

Available Media

Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS

2:30 pm-3:00 pm

Christina Garman, Johns Hopkins University; Kenneth G. Paterson and Thyla Van der Merwe, University of London

Despite recent high-profile attacks on the RC4 algorithm in TLS, its usage is still running at about 30% of all TLS traffic. We provide new attacks against RC4 in TLS that are focussed on recovering user passwords, still the pre-eminent means of user authentication on the Internet today. Our new attacks use a generally applicable Bayesian inference approach to transform a priori information about passwords in combination with gathered ciphertexts into a posteriori likelihoods for passwords. We report on extensive simulations of the attacks. We also report on a “proof of concept” implementation of the attacks for a specific application layer protocol, namely BasicAuth. Our work validates the truism that attacks only get better with time: we obtain good success rates in recovering user passwords with 226 encryptions, whereas the previous generation of attacks required around 234 encryptions to recover an HTTP session cookie.

Available Media

Eclipse Attacks on Bitcoin’s Peer-to-Peer Network

Ethan Heilman and Alison Kendler, Boston University; Aviv Zohar, The Hebrew University of Jerusalem and MSR Israel; Sharon Goldberg, Boston University

We present eclipse attacks on bitcoin’s peer-to-peer network. Our attack allows an adversary controlling a sufficient number of IP addresses to monopolize all connections to and from a victim bitcoin node. The attacker can then exploit the victim for attacks on bitcoin’s mining and consensus system, including N-confirmation double spending, selfish mining, and adversarial forks in the blockchain. We take a detailed look at bitcoin’s peer-to-peer network, and quantify the resources involved in our attack via probabilistic analysis, Monte Carlo simulations, measurements and experiments with live bitcoin nodes. Finally, we present countermeasures, inspired by botnet architectures, that are designed to raise the bar for eclipse attacks while preserving the openness and decentralization of bitcoin’s current network architecture.

Available Media

Word Crimes

Refereed Papers II
Regency BCD

Session Chair: Adam Doupé, Arizona State University

Compiler-instrumented, Dynamic Secret-Redaction of Legacy Processes for Attacker Deception

Frederico Araujo and Kevin W. Hamlen, The University of Texas at Dallas

An enhanced dynamic taint-tracking semantics is presented and implemented, facilitating fast and precise runtime secret redaction from legacy processes, such as those compiled from C/C++. The enhanced semantics reduce the annotation burden imposed upon developers seeking to add secret-redaction capabilities to legacy code, while curtailing over-tainting and label creep.

An implementation for LLVM’s DataFlow Sanitizer automatically instruments taint-tracking and secretredaction support into annotated C/C++ programs at compile-time, yielding programs that can self-censor their address spaces in response to emerging cyber-attacks. The technology is applied to produce the first information flow-based honey-patching architecture for the Apache web server. Rather than merely blocking intrusions, the modified server deceptively diverts attacker connections to secret-sanitized process clones that monitor attacker activities and disinform adversaries with honey-data.

Available Media

Control-Flow Bending: On the Effectiveness of Control-Flow Integrity

Nicholas Carlini, University of California, Berkeley; Antonio Barresi, ETH Zürich; Mathias Payer, Purdue University; David Wagner, University of California, Berkeley; Thomas R. Gross, ETH Zürich

Control-Flow Integrity (CFI) is a defense which prevents control-flow hijacking attacks. While recent research has shown that coarse-grained CFI does not stop attacks, fine-grained CFI is believed to be secure.

We argue that assessing the effectiveness of practical CFI implementations is non-trivial and that common evaluation metrics fail to do so. We then evaluate fullyprecise static CFI — the most restrictive CFI policy that does not break functionality — and reveal limitations in its security. Using a generalization of non-control-data attacks which we call Control-Flow Bending (CFB), we show how an attacker can leverage a memory corruption vulnerability to achieve Turing-complete computation on memory using just calls to the standard library. We use this attack technique to evaluate fully-precise static CFI on six real binaries and show that in five out of six cases, powerful attacks are still possible. Our results suggest that CFI may not be a reliable defense against memory corruption vulnerabilities.

We further evaluate shadow stacks in combination with CFI and find that their presence for security is necessary: deploying shadow stacks removes arbitrary code execution capabilities of attackers in three of six cases.

Available Media

Automatic Generation of Data-Oriented Exploits

Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, and Zhenkai Liang, National University of Singapore

As defense solutions against control-flow hijacking attacks gain wide deployment, control-oriented exploits from memory errors become difficult. As an alternative, attacks targeting non-control data do not require diverting the application’s control flow during an attack. Although it is known that such data-oriented attacks can mount significant damage, no systematic methods to automatically construct them from memory errors have been developed. In this work, we develop a new technique called data-flow stitching, which systematically finds ways to join data flows in the program to generate data-oriented exploits. We build a prototype embodying our technique in a tool called FLOWSTITCH that works directly on Windows and Linux binaries. In our experiments, we find that FLOWSTITCH automatically constructs 16 previously unknown and three known data-oriented attacks from eight real-world vulnerable programs. All the automatically-crafted exploits respect fine-grained CFI and DEP constraints, and 10 out of the 19 exploits work with standard ASLR defenses enabled. The constructed exploits can cause significant damage, such as disclosure of sensitive information (e.g., passwords and encryption keys) and escalation of privilege.

Available Media

Invited Talk

Lexington/Bunker Hill

Transforming Innovative Security Concepts into Disruptive Security Companies

2:00 pm-3:30 pm

Rick Gordon, Managing Partner, Mach37 Cyber Accelerator

Security operations people worldwide continue to be overwhelmed by global malicious actors who enjoy an asymmetric advantage. In order to level the playing field, innovators continually create new capabilities that enable them to secure their information infrastructures more scalably and efficiently. Often times, these innovations can solve the same or similar problems in many other enterprises—representing an attractive business opportunity by addressing a large unmet need.

However, inserting these innovations into existing market ecosystems is significantly more challenging than simply packaging together a few lines of code and selling them. Rather, these technical innovators must often transform themselves into business leaders that embody marketing, finance and product management skill sets for which they may have had little or no formal training.

Security operations people worldwide continue to be overwhelmed by global malicious actors who enjoy an asymmetric advantage. In order to level the playing field, innovators continually create new capabilities that enable them to secure their information infrastructures more scalably and efficiently. Often times, these innovations can solve the same or similar problems in many other enterprises—representing an attractive business opportunity by addressing a large unmet need.

However, inserting these innovations into existing market ecosystems is significantly more challenging than simply packaging together a few lines of code and selling them. Rather, these technical innovators must often transform themselves into business leaders that embody marketing, finance and product management skill sets for which they may have had little or no formal training.

This talk will describe that transformation as technology-focused entrepreneurs with disruptive concepts can build companies that can attract the talent, capital, and customers required for their innovations to reach their intended markets.

Rick Gordon is an expert on security technology investing, business strategy and early-stage venture development. Rick currently serves as Managing Partner of Mach37™, the premier accelerator for cybersecurity entrepreneurs and startups. MACH37 launches companies that are delivering the next generation of cybersecurity solutions.

Prior to this role, Rick served as Vice President of Product Management at KEYW Corporation, COO of Lookingglass Cyber Solutions, Managing Director at The Civitas Group, CEO of Tovaris, and was a founding board member of Invincea.

Available Media

  • Read more about Transforming Innovative Security Concepts into Disruptive Security Companies
3:30 pm–4:00 pm Wednesday

Break with Refreshments

Hall of Battles

4:00 pm–6:00 pm Wednesday

Sock It To Me: TLS No Less

Refereed Papers I
Regency A

Session Chair: Stephen McCamant, University of Minnesota

Protocol State Fuzzing of TLS Implementations

Joeri de Ruiter, University of Birmingham; Erik Poll, Radboud University Nijmegen

We describe a largely automated and systematic analysis of TLS implementations by what we call ‘protocol state fuzzing’: we use state machine learning to infer state machines from protocol implementations, using only blackbox testing, and then inspect the inferred state machines to look for spurious behaviour which might be an indication of flaws in the program logic. For detecting the presence of spurious behaviour the approach is almost fully automatic: we automatically obtain state machines and any spurious behaviour is then trivial to see. Detecting whether the spurious behaviour introduces exploitable security weaknesses does require manual investigation. Still, we take the point of view that any spurious functionality in a security protocol implementation is dangerous and should be removed.

We analysed both server- and client-side implementations with a test harness that supports several key exchange algorithms and the option of client certificate authentication. We show that this approach can catch an interesting class of implementation flaws that is apparently common in security protocol implementations: in three of the TLS implementations analysed new security flaws were found (in GnuTLS, the Java Secure Socket Extension, and OpenSSL). This shows that protocol state fuzzing is a useful technique to systematically analyse security protocol implementations. As our analysis of different TLS implementations resulted in different and unique state machines for each one, the technique can also be used for fingerprinting TLS implementations.

Available Media

Verified Correctness and Security of OpenSSL HMAC

Lennart Beringer, Princeton University; Adam Petcher, Harvard University and MIT Lincoln Laboratory; Katherine Q. Ye and Andrew W. Appel, Princeton University

We have proved, with machine-checked proofs in Coq, that an OpenSSL implementation of HMAC with SHA- 256 correctly implements its FIPS functional specification and that its functional specification guarantees the expected cryptographic properties. This is the first machine-checked cryptographic proof that combines a source-program implementation proof, a compilercorrectness proof, and a cryptographic-security proof, with no gaps at the specification interfaces.

The verification was done using three systems within the Coq proof assistant: the Foundational Cryptography Framework, to verify crypto properties of functional specs; the Verified Software Toolchain, to verify C programs w.r.t. functional specs; and CompCert, for verified compilation of C to assembly language.

Available Media

Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation

David Kaloper-Meršinjak, Hannes Mehnert, Anil Madhavapeddy, and Peter Sewell, University of Cambridge

Transport Layer Security (TLS) implementations have a history of security flaws. The immediate causes of these are often programming errors, e.g. in memory management, but the root causes are more fundamental: the challenges of interpreting the ambiguous prose specification, the complexities inherent in large APIs and code bases, inherently unsafe programming choices, and the impossibility of directly testing conformance between implementations and the specification.

We present nqsb-TLS, the result of our re-engineered approach to security protocol specification and implementation that addresses these root causes. The same code serves two roles: it is both a specification of TLS, executable as a test oracle to check conformance of traces from arbitrary implementations, and a usable implementation of TLS; a modular and declarative programming style provides clean separation between its components. Many security flaws are thus excluded by construction.

nqsb-TLS can be used in standalone Unix applications, which we demonstrate with a messaging client, and can also be compiled into Xen unikernels (specialised virtual machine image) with a trusted computing base (TCB) that is 4% of a standalone system running a standard Linux/OpenSSL stack, with all network traffic being handled in a memory-safe language; this supports applications including HTTPS, IMAP, Git, and Websocket clients and servers. Despite the dual-role design, the high-level implementation style, and the functional programming language we still achieve reasonable performance, with the same handshake performance as OpenSSL and 73% – 84% for bulk throughput.

Available Media

To Pin or Not to Pin—Helping App Developers Bullet Proof Their TLS Connections

Marten Oltrogge and Yasemin Acar, Leibniz Universität Hannover; Sergej Dechand and Matthew Smith, Universität Bonn; Sascha Fahl, Fraunhofer FKIE

For increased security during TLS certificate validation, a common recommendation is to use a variation of pinning. Especially non-browser software developers are encouraged to limit the number of trusted certificates to a minimum, since the default CA-based approach is known to be vulnerable to serious security threats.

The decision for or against pinning is always a tradeoff between increasing security and keeping maintenance efforts at an acceptable level. In this paper, we present an extensive study on the applicability of pinning for non-browser software by analyzing 639,283 Android apps. Conservatively, we propose pinning as an appropriate strategy for 11,547 (1.8%) apps or for 45,247 TLS connections (4.25%) in our sample set. With a more optimistic classification of borderline cases, we propose pinning for consideration for 58,817 (9.1%) apps or for 140,020 (3.8%1) TLS connections. This weakens the assumption that pinning is a widely usable strategy for TLS security in non-browser software. However, in a nominalactual comparison, we find that only 45 apps actually implement pinning. We collected developer feedback from 45 respondents and learned that only a quarter of them grasp the concept of pinning, but still find pinning too complex to use. Based on their feedback, we built an easy-to-use web-application that supports developers in the decision process and guides them through the correct deployment of a pinning-protected TLS implementation.

Available Media

Forget Me Not

Refereed Papers II
Regency BCD

Session Chair: Nikita Borisov, University of Illinois at Urbana-Champaign

De-anonymizing Programmers via Code Stylometry

4:00 pm-4:30 pm

Aylin Caliskan-Islam, Drexel University; Richard Harang, U.S. Army Research Laboratory; Andrew Liu, University of Maryland; Arvind Narayanan, Princeton University; Clare Voss, U.S. Army Research Laboratory; Fabian Yamaguchi, University of Goettingen; Rachel Greenstadt, Drexel University

Source code authorship attribution is a significant privacy threat to anonymous code contributors. However, it may also enable attribution of successful attacks from code left behind on an infected system, or aid in resolving copyright, copyleft, and plagiarism issues in the programming fields. In this work, we investigate machine learning methods to de-anonymize source code authors of C/C++ using coding style. Our Code Stylometry Feature Set is a novel representation of coding style found in source code that reflects coding style from properties derived from abstract syntax trees.

Our random forest and abstract syntax tree-based approach attributes more authors (1,600 and 250) with significantly higher accuracy (94% and 98%) on a larger data set (Google Code Jam) than has been previously achieved. Furthermore, these novel features are robust, difficult to obfuscate, and can be used in other programming languages, such as Python. We also find that (i) the code resulting from difficult programming tasks is easier to attribute than easier tasks and (ii) skilled programmers (who can complete the more difficult tasks) are easier to attribute than less skilled programmers.

Available Media

RAPTOR: Routing Attacks on Privacy in Tor

Yixin Sun and Anne Edmundson, Princeton University; Laurent Vanbever, ETH Zürich; Oscar Li, Jennifer Rexford, Mung Chiang, and Prateek Mittal, Princeton University

The Tor network is a widely used system for anonymous communication. However, Tor is known to be vulnerable to attackers who can observe traffic at both ends of the communication path. In this paper, we show that prior attacks are just the tip of the iceberg. We present a suite of new attacks, called Raptor, that can be launched by Autonomous Systems (ASes) to compromise user anonymity. First, AS-level adversaries can exploit the asymmetric nature of Internet routing to increase the chance of observing at least one direction of user traffic at both ends of the communication. Second, AS-level adversaries can exploit natural churn in Internet routing to lie on the BGP paths for more users over time. Third, strategic adversaries can manipulate Internet routing via BGP hijacks (to discover the users using specific Tor guard nodes) and interceptions (to perform traffic analysis). We demonstrate the feasibility of Raptor attacks by analyzing historical BGP data and Traceroute data as well as performing real-world attacks on the live Tor network, while ensuring that we do not harm real users. In addition, we outline the design of two monitoring frameworks to counter these attacks: BGP monitoring to detect control-plane attacks, and Traceroute monitoring to detect data-plane anomalies. Overall, our work motivates the design of anonymity systems that are aware of the dynamics of Internet routing.

Available Media

Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services

Albert Kwon, Massachusetts Institute of Technology; Mashael AlSabah, Qatar Computing Research Institute, Qatar University, and Massachusetts Institute of Technology; David Lazar, Massachusetts Institute of Technology; Marc Dacier, Qatar Computing Research Institute; Srinivas Devadas, Massachusetts Institute of Technology

This paper sheds light on crucial weaknesses in the design of hidden services that allow us to break the anonymity of hidden service clients and operators passively. In particular, we show that the circuits, paths established through the Tor network, used to communicate with hidden services exhibit a very different behavior compared to a general circuit. We propose two attacks, under two slightly different threat models, that could identify a hidden service client or operator using these weaknesses. We found that we can identify the users’ involvement with hidden services with more than 98% true positive rate and less than 0.1% false positive rate with the first attack, and 99% true positive rate and 0.07% false positive rate with the second. We then revisit the threat model of previous website fingerprinting attacks, and show that previous results are directly applicable, with greater efficiency, in the realm of hidden services. Indeed, we show that we can correctly determine which of the 50 monitored pages the client is visiting with 88% true positive rate and false positive rate as low as 2.9%, and correctly deanonymize 50 monitored hidden service servers with true positive rate of 88% and false positive rate of 7.8% in an open world setting.

Available Media

SecGraph: A Uniform and Open-source Evaluation System for Graph Data Anonymization and De-anonymization

Shouling Ji and Weiqing Li, Georgia Institute of Technology; Prateek Mittal, Princeton University; Xin Hu, IBM T. J. Watson Research Center; Raheem Beyah, Georgia Institute of Technology

In this paper, we analyze and systematize the state-ofthe- art graph data privacy and utility techniques. Specifically, we propose and develop SecGraph (available at [1]), a uniform and open-source Secure Graph data sharing/publishing system. In SecGraph, we systematically study, implement, and evaluate 11 graph data anonymization algorithms, 19 data utility metrics, and 15 modern Structure-based De-Anonymization (SDA) attacks. To the best of our knowledge, SecGraph is the first such system that enables data owners to anonymize data by state-of-the-art anonymization techniques, measure the data’s utility, and evaluate the data’s vulnerability against modern De-Anonymization (DA) attacks. In addition, SecGraph enables researchers to conduct fair analysis and evaluation of existing and newly developed anonymization/DA techniques. Leveraging SecGraph, we conduct extensive experiments to systematically evaluate the existing graph data anonymization and DA techniques. The results demonstrate that (i) most anonymization schemes can partially or conditionally preserve most graph utilities while losing some application utility; (ii) no DA attack is optimum in all scenarios. The DA performance depends on several factors, e.g., similarity between anonymized and auxiliary data, graph density, and DA heuristics; and (iii) all the state-of-the-art anonymization schemes are vulnerable to several or all of the modern SDA attacks. The degree of vulnerability of each anonymization scheme depends on how much and which data utility it preserves.

Available Media

Invited Talk

Lexington/Bunker Hill

Conducting Usable Security Studies: It's Complicated

4:00 pm-5:30 pm

Lorrie Faith Cranor, Carnegie Mellon University

User studies are critical to understanding how users perceive and interact with security and privacy software and features. However, conducting usable privacy and security studies is complicated. In some studies, researchers recruit participants to perform tasks not directly related to security so that they can observe how participants respond to security-related prompts or cues that occur while users are focused on primary tasks. Researchers also try to put users in situations where they believe their security or privacy is at risk, while at the same time making sure that participants will not actually suffer harm. When conducting usable security studies there are a lot of methodological details to get right, and studies don't always go quite as planned.

User studies are critical to understanding how users perceive and interact with security and privacy software and features. However, conducting usable privacy and security studies is complicated. In some studies, researchers recruit participants to perform tasks not directly related to security so that they can observe how participants respond to security-related prompts or cues that occur while users are focused on primary tasks. Researchers also try to put users in situations where they believe their security or privacy is at risk, while at the same time making sure that participants will not actually suffer harm. When conducting usable security studies there are a lot of methodological details to get right, and studies don't always go quite as planned. In this talk I will offer a behind-the-scenes look at usable privacy and security study design and present lessons learned from over a decade of user studies at the CyLab Usable Privacy and Security Lab at Carnegie Mellon University.

Lorrie Faith Cranor is a Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. Cranor has authored over 150 research papers on online privacy, usable security, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O'Reilly 2002). She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In 2003 she was named one of the top 100 innovators 35 or younger by Technology Review magazine, and in 2014 she was named an ACM Fellow for her contributions to usable privacy and security research and education. She was previously a researcher at AT&T Labs Research and taught in the Stern School of Business at New York University. In 2012–13, Cranor spent her sabbatical year as a fellow in the Frank-Ratchye STUDIO for Creative Inquiry at Carnegie Mellon University, where she worked on fiber arts projects that combined her interests in privacy and security, quilting, computers, and technology. She practices yoga, plays soccer, and runs after her three children.

Available Media

  • Read more about Conducting Usable Security Studies: It's Complicated
6:00 pm–7:30 pm Wednesday

USENIX Security '15 Reception

Columbia Ballroom

Sponsored by Facebook
The Internet Defense Prize will be presented during the reception.

7:30 pm–9:30 pm Wednesday

Work-in-Progress Reports (WiP)/Rump Sesson, Plus Special Paper Presentation

Regency A

This is intended as an informal session for short and engaging presentations on recent unpublished results, work in progress, or other topics of interest to the USENIX Security attendees. As in the past, talks do not always need to be serious and funny talks are encouraged! To submit a WiP talk, email sec15wips@usenix.org by Wednesday, August 12, 2015, noon EDT.

Special Paper Presentation: At 9:00 pm there will be a presentation of the USENIX Security '13 paper "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer,” by Roel Verdult, Flavio D. Garcia, and Baris Ege. Find out more below.

Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer

Roel Verdult, Radboud University Nijmegen; Flavio D. Garcia, University of Birmingham; Baris Ege, Radboud University Nijmegen

The Megamos Crypto transponder is used in one of the most widely deployed electronic vehicle immobilizers. It is used among others in most Audi, Fiat, Honda, Volkswagen and Volvo cars. Such an immobilizer is an anti-theft device which prevents the engine of the vehicle from starting when the corresponding transponder is not present. This transponder is a passive RFID tag which is embedded in the key of the vehicle.

In this paper we have reverse-engineered all proprietary security mechanisms of the transponder, including the cipher and the authentication protocol which we publish here in full detail. This article reveals several weaknesses in the design of the cipher, the authentication protocol and also in their implementation. We exploit these weaknesses in three practical attacks that recover the 96-bit transponder secret key. These three attacks only require wireless communication with the system. Our first attack exploits weaknesses in the cipher design and in the authentication protocol. We show that having access to only two eavesdropped authentication traces is enough to recover the 96-bit secret key with a computational complexity of 256 cipher ticks (equivalent to 249 encryptions). Our second attack exploits a weakness in the key update mechanism of the transponder. This attack recovers the secret key after 3×216 authentication attempts with the transponder and negligible computational complexity. We have executed this attack in practice on several vehicles. We were able to recover the key and start the engine with a transponder emulating device. Executing this attack from beginning to end takes only 30 minutes. Our third attack exploits the fact that some car manufacturers set weak cryptographic keys in their vehicles. We propose a time-memory trade-off which recovers such a weak key after a few minutes of computation on a standard laptop.

Available Media

 

Thursday, August 13, 2015

8:00 am–8:30 am Thursday

Continental Breakfast

Hall of Battles

8:30 am–9:00 am Thursday

Lightning Talks for the One-Track Mind

Regency A, Regency BCD, and Lexington/Bunker Hill

We begin each day with a lightning talks session, offering a 60-second preview of the papers to be presented on the day. For authors, it’s an opportunity to provide more reasons why people should come to your talk. For attendees, it’s an opportunity to hear an elevator pitch for the papers you will have to miss today.

9:00 am–10:30 am Thursday

Operating System Security: It's All About the Base

Refereed Papers I
Regency A

Session Chair: Zachary N. J. Peterson, California Polytechnic State University

Trustworthy Whole-System Provenance for the Linux Kernel

Adam Bates, Dave (Jing) Tian, and Kevin R.B. Butler, University of Florida; Thomas Moyer, MIT Lincoln Laboratory

In a provenance-aware system, mechanisms gather and report metadata that describes the history of each object being processed on the system, allowing users to understand how data objects came to exist in their present state. However, while past work has demonstrated the usefulness of provenance, less attention has been given to securing provenance-aware systems. Provenance itself is a ripe attack vector, and its authenticity and integrity must be guaranteed before it can be put to use.

We present Linux Provenance Modules (LPM), the first general framework for the development of provenance-aware systems. We demonstrate that LPM creates a trusted provenance-aware execution environment, collecting complete whole-system provenance while imposing as little as 2.7% performance overhead on normal system operation. LPM introduces new mechanisms for secure provenance layering and authenticated communication between provenance-aware hosts, and also interoperates with existing mechanisms to provide strong security assurances. To demonstrate the potential uses of LPM, we design a Provenance-Based Data Loss Prevention (PB-DLP) system. We implement PBDLP as a file transfer application that blocks the transmission of files derived from sensitive ancestors while imposing just tens of milliseconds overhead. LPM is the first step towards widespread deployment of trustworthy provenance-aware applications.

Available Media

Securing Self-Virtualizing Ethernet Devices

Igor Smolyar, Muli Ben-Yehuda, and Dan Tsafrir, Technion—Israel Institute of Technology

Single root I/O virtualization (SRIOV) is a hardware/ software interface that allows devices to “self virtualize” and thereby remove the host from the critical I/O path. SRIOV thus brings near bare-metal performance to untrusted guest virtual machines (VMs) in public clouds, enterprise data centers, and high-performance computing setups. We identify a design flaw in current Ethernet SRIOV NIC deployments that enables untrusted VMs to completely control the throughput and latency of other, unrelated VMs. The attack exploits Ethernet ”pause” frames, which enable network flow control functionality. We experimentally launch the attack across several NIC models and find that it is effective and highly accurate, with substantial consequences if left unmitigated: (1) to be safe, NIC vendors will have to modify their NICs so as to filter pause frames originating from SRIOV instances; (2) in the meantime, administrators will have to either trust their VMs, or configure their switches to ignore pause frames, thus relinquishing flow control, which might severely degrade networking performance. We present the Virtualization-Aware Network Flow Controller (VANFC), a software-based SRIOV NIC prototype that overcomes the attack. VANFC filters pause frames from malicious virtual machines without any loss of performance, while keeping SRIOV and Ethernet flow control hardware/software interfaces intact.

Available Media

EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning

Ruowen Wang, Samsung Research America and North Carolina State University; William Enck and Douglas Reeves, North Carolina State University; Xinwen Zhang, Samsung Research America; Peng Ning, Samsung Research America and North Carolina State University; Dingbang Xu, Wu Zhou, and Ahmed M. Azab, Samsung Research America

Mandatory protection systems such as SELinux and SEAndroid harden operating system integrity. Unfortunately, policy development is error prone and requires lengthy refinement using audit logs from deployed systems. While prior work has studied SELinux policy in detail, SEAndroid is relatively new and has received little attention. SEAndroid policy engineering differs significantly from SELinux: Android fundamentally differs from traditional Linux; the same policy is used on millions of devices for which new audit logs are continually available; and audit logs contain a mix of benign and malicious accesses. In this paper, we propose EASEAndroid, the first SEAndroid analytic platform for automatic policy analysis and refinement. Our key insight is that the policy refinement process can be modeled and automated using semi-supervised learning. Given an existing policy and a small set of known access patterns, EASEAndroid continually expands the knowledge base as new audit logs become available, producing suggestions for policy refinement. We evaluate EASEAndroid on 1.3 million audit logs from real-world devices. EASEAndroid successfully learns 2,518 new access patterns and generates 331 new policy rules. During this process, EASEAndroid discovers eight categories of attack access patterns in real devices, two of which are new attacks directly against the SEAndroid MAC mechanism.

Available Media

Ace Ventura: PETS Detective

Refereed Papers II
Regency BCD

Session Chair: Micah Sherr, Georgetown University

Marionette: A Programmable Network Traffic Obfuscation System

Kevin P. Dyer, Portland State University; Scott E. Coull, RedJack LLC.; Thomas Shrimpton, Portland State University

Recently, a number of obfuscation systems have been developed to aid in censorship circumvention scenarios where encrypted network traffic is filtered. In this paper, we present Marionette, the first programmable network traffic obfuscation system capable of simultaneously controlling encrypted traffic features at a variety of levels, including ciphertext formats, stateful protocol semantics, and statistical properties. The behavior of the system is directed by a powerful type of probabilistic automata and specified in a user-friendly domain-specific language, which allows the user to easily adjust their obfuscation strategy to meet the unique needs of their network environment. In fact, the Marionette system is capable of emulating many existing obfuscation systems, and enables developers to explore a breadth of protocols and depth of traffic features that have, so far, been unattainable. We evaluate Marionette through a series of case studies inspired by censor capabilities demonstrated in the real-world and research literature, including passive network monitors, stateful proxies, and active probing. The results of our experiments not only show that Marionette provides outstanding flexibility and control over traffic features, but it is also capable of achieving throughput of up to 6:7Mbps when generating RFCcompliant cover traffic.

Available Media

CONIKS: Bringing Key Transparency to End Users

Marcela S. Melara and Aaron Blankstein, Princeton University; Joseph Bonneau, Stanford University and The Electronic Frontier Foundation; Edward W. Felten and Michael J. Freedman, Princeton University

We present CONIKS, an end-user key verification service capable of integration in end-to-end encrypted communication systems. CONIKS builds on transparency log proposals for web server certificates but solves several new challenges specific to key verification for end users. CONIKS obviates the need for global third-party monitors and enables users to efficiently monitor their own key bindings for consistency, downloading less than 20 kB per day to do so even for a provider with billions of users. CONIKS users and providers can collectively audit providers for non-equivocation, and this requires downloading a constant 2.5 kB per provider per day. Additionally, CONIKS preserves the level of privacy offered by today’s major communication services, hiding the list of usernames present and even allowing providers to conceal the total number of users in the system.

Available Media

Investigating the Computer Security Practices and Needs of Journalists

Susan E. McGregor, Columbia Journalism School; Polina Charters, Tobin Holliday, and Franziska Roesner, University of Washington

Though journalists are often cited as potential users of computer security technologies, their practices and mental models have not been deeply studied by the academic computer security community. Such an understanding, however, is critical to developing technical solutions that can address the real needs of journalists and integrate into their existing practices. We seek to provide that insight in this paper, by investigating the general and computer security practices of 15 journalists in the U.S. and France via in-depth, semi-structured interviews. Among our findings is evidence that existing security tools fail not only due to usability issues but when they actively interfere with other aspects of the journalistic process; that communication methods are typically driven by sources rather than journalists; and that journalists’ organizations play an important role in influencing journalists’ behaviors. Based on these and other findings, we make recommendations to the computer security community for improvements to existing tools and future lines of research.

Available Media

Invited Talk

Lexington/Bunker Hill

Why Johnny and Janie Can’t Code Safely: Bringing Software Assurance to the Masses

9:00 am-10:30 am

Bart Miller, University of Wisconsin—Madison

While we’re all furiously working on new techniques to automate the finding of weaknesses and even vulnerabilities in software, relatively few programmers in the real world are benefiting from our work. The reasons for this situation are myriad, ranging from lack of training, awareness, and economic incentives on the part of the users; complex and only partially useful tools on the part of the assurance tool developers; legal barriers to open reporting of software problems; a confusing regulatory landscape with few standards; and a lack of effective curriculum at most universities for students learning software skills.

As a step towards improving the state of software assurance tools in the marketplace and increasing the adoption of software assurance practices by programmers, the U.S. Department of Homeland Security funded a 5-year project to establish the Software Assurance Marketplace (SWAMP). The core service of the SWAMP is an open (free) facility where programmers can bring their software to be run against a large suite of both commercial and open source assessment tools. In addition, tool developers can use the SWAMP-developed resources to speed their tool developments, making it easier to compete with established research projects and commercial products. The SWAMP also serves as a resource for classroom instructors and for researchers studying the software assurance process.

While we’re all furiously working on new techniques to automate the finding of weaknesses and even vulnerabilities in software, relatively few programmers in the real world are benefiting from our work. The reasons for this situation are myriad, ranging from lack of training, awareness, and economic incentives on the part of the users; complex and only partially useful tools on the part of the assurance tool developers; legal barriers to open reporting of software problems; a confusing regulatory landscape with few standards; and a lack of effective curriculum at most universities for students learning software skills.

As a step towards improving the state of software assurance tools in the marketplace and increasing the adoption of software assurance practices by programmers, the U.S. Department of Homeland Security funded a 5-year project to establish the Software Assurance Marketplace (SWAMP). The core service of the SWAMP is an open (free) facility where programmers can bring their software to be run against a large suite of both commercial and open source assessment tools. In addition, tool developers can use the SWAMP-developed resources to speed their tool developments, making it easier to compete with established research projects and commercial products. The SWAMP also serves as a resource for classroom instructors and for researchers studying the software assurance process.

I will discuss our experiences trying make an impact on the adoption of software assurance practices, the obstacles to making such an impact, and how the security research community (you!) can make this mission more effective.

Barton Miller is Professor of Computer Sciences at the University of Wisconsin. He is also Chief Scientist for the DHS Software Assurance Marketplace (SWAMP) research facility and co-directs the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona. He also leads the Paradyn Parallel Performance Tool project, which is investigating performance and instrumentation technologies for parallel and distributed applications and systems. His research interests include systems security, binary and malicious code analysis and instrumentation extreme scale systems, parallel and distributed program measurement and debugging, and mobile computing. Miller's research is supported by the U.S. Department of Homeland Security, U.S. Department of Energy, National Science Foundation, NATO, and various corporations.

In 1988, Miller founded the field of Fuzz random software testing, which is the foundation of many security and software engineering disciplines. In 1992, Miller (working with his then-student, Prof. Jeffrey Hollingsworth), founded the field of dynamic binary code instrumentation and coined the term "dynamic instrumentation." Dynamic instrumentation forms the basis for his current efforts in malware analysis and instrumentation.

Miller was the chair of the IDA Center for Computing Sciences Program Review Committee, a member of the Los Alamos National Laboratory Computing, Communications and Networking Division Review Committee, and has been on the U.S. Secret Service Electronic Crimes Task Force (Chicago Area). Miller is a Fellow of the ACM.

Available Media

  • Read more about Why Johnny and Janie Can’t Code Safely: Bringing Software Assurance to the Masses
10:30 am–11:00 am Thursday

Break with Refreshments

Hall of Battles

11:00 am–12:30 pm Thursday

ORAMorama!

Refereed Papers I
Regency A

Session Chair: Tadayoshi Kohno, University of Washington

Constants Count: Practical Improvements to Oblivious RAM

Ling Ren, Christopher Fletcher, and Albert Kwon, Massachusetts Institute of Technology; Emil Stefanov, University of California, Berkeley; Elaine Shi, Cornell University; Marten van Dijk, University of Connecticut; Srinivas Devadas, Massachusetts Institute of Technology

Oblivious RAM (ORAM) is a cryptographic primitive that hides memory access patterns as seen by untrusted storage. This paper proposes Ring ORAM, the most bandwidth-efficient ORAM scheme for the small client storage setting in both theory and practice. Ring ORAM is the first tree-based ORAM whose bandwidth is independent of the ORAM bucket size, a property that unlocks multiple performance improvements. First, Ring ORAM’s overall bandwidth is 2.3x to 4x better than Path ORAM, the prior-art scheme for small client storage. Second, if memory can perform simple untrusted computation, Ring ORAM achieves constant online bandwidth (~ 60x improvement over Path ORAM for practical parameters). As a case study, we show Ring ORAM speeds up program completion time in a secure processor by 1.5x relative to Path ORAM. On the theory side, Ring ORAM features a tighter and significantly simpler analysis than Path ORAM.

Available Media

Raccoon: Closing Digital Side-Channels through Obfuscated Execution

Ashay Rane, Calvin Lin, and Mohit Tiwari, The University of Texas at Austin

Side-channel attacks monitor some aspect of a computer system’s behavior to infer the values of secret data. Numerous side-channels have been exploited, including those that monitor caches, the branch predictor, and the memory address bus. This paper presents a method of defending against a broad class of side-channel attacks, which we refer to as digital side-channel attacks. The key idea is to obfuscate the program at the source code level to provide the illusion that many extraneous program paths are executed. This paper describes the technical issues involved in using this idea to provide confidentiality while minimizing execution overhead. We argue about the correctness and security of our compiler transformations and demonstrate that our transformations are safe in the context of a modern processor. Our empirical evaluation shows that our solution is 8.9x faster than prior work (GhostRider [20]) that specifically defends against memory trace-based side-channel attacks.

Available Media

M2R: Enabling Stronger Privacy in MapReduce Computation

Tien Tuan Anh Dinh, Prateek Saxena, Ee-Chien Chang, Beng Chin Ooi, and Chunwang Zhang, National University of Singapore

New big-data analysis platforms can enable distributed computation on encrypted data by utilizing trusted computing primitives available in commodity server hardware. We study techniques for ensuring privacy preserving computation in the popular MapReduce framework. In this paper, we first show that protecting only individual units of distributed computation (e.g. map and reduce units), as proposed in recent works, leaves several important channels of information leakage exposed to the adversary. Next, we analyze a variety of design choices in achieving a stronger notion of private execution that is the analogue of using a distributed oblivious-RAM (ORAM) across the platform. We develop a simple solution which avoids using the expensive ORAM construction, and incurs only an additive logarithmic factor of overhead to the latency. We implement our solution in a system called M2R, which enhances an existing Hadoop implementation, and evaluate it on seven standard MapReduce benchmarks. We show that it is easy to port most existing applications to M2R by changing fewer than 43 lines of code. M2R adds fewer than 500 lines of code to the TCB, which is less than 0:16% of the Hadoop codebase. M2R offers a factor of 1:3x to 44:6x lower overhead than extensions of previous solutions with equivalent privacy. M2R adds a total of 17% to 130% overhead over the insecure baseline solution that ignores the leakage channels M2R addresses.

Available Media

But Maybe All You Need Is Something to Trust

Refereed Papers II
Regency BCD

Session Chair: Devdatta Akhawe, Dropbox

Measuring Real-World Accuracies and Biases in Modeling Password Guessability

Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, and Darya Kurilova, Carnegie Mellon University; Michelle L. Mazurek, University of Maryland; William Melicher and Richard Shay, Carnegie Mellon University

Parameterized password guessability—how many guesses a particular cracking algorithm with particular training data would take to guess a password—has become a common metric of password security. Unlike statistical metrics, it aims to model real-world attackers and to provide per-password strength estimates. We investigate how cracking approaches often used by researchers compare to real-world cracking by professionals, as well as how the choice of approach biases research conclusions. We find that semi-automated cracking by professionals outperforms popular fully automated approaches, but can be approximated by combining multiple such approaches. These approaches are only effective, however, with careful configuration and tuning; in commonly used default configurations, they underestimate the real-world guessability of passwords.

We find that analyses of large password sets are often robust to the algorithm used for guessing as long as it is configured effectively. However, cracking algorithms differ systematically in their effectiveness guessing passwords with certain common features (e.g., character substitutions). This has important implications for analyzing the security of specific password characteristics or of individual passwords (e.g., in a password meter or security audit). Our results highlight the danger of relying only on a single cracking algorithm as a measure of password strength and constitute the first scientific evidence that automated guessing can often approximate guessing by professionals.

Available Media

Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound

Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Čapkun, ETH Zürich

Two-factor authentication protects online accounts even if passwords are leaked. Most users, however, prefer password-only authentication. One reason why twofactor authentication is so unpopular is the extra steps that the user must complete in order to log in. Currently deployed two-factor authentication mechanisms require the user to interact with his phone to, for example, copy a verification code to the browser. Two-factor authentication schemes that eliminate user-phone interaction exist, but require additional software to be deployed.

In this paper we propose Sound-Proof, a usable and deployable two-factor authentication mechanism. Sound-Proof does not require interaction between the user and his phone. In Sound-Proof the second authentication factor is the proximity of the user’s phone to the device being used to log in. The proximity of the two devices is verified by comparing the ambient noise recorded by their microphones. Audio recording and comparison are transparent to the user, so that the user experience is similar to the one of password-only authentication. Sound-Proof can be easily deployed as it works with current phones and major browsers without plugins. We build a prototype for both Android and iOS. We provide empirical evidence that ambient noise is a robust discriminant to determine the proximity of two devices both indoors and outdoors, and even if the phone is in a pocket or purse. We conduct a user study designed to compare the perceived usability of Sound-Proof with Google 2-Step Verification. Participants ranked Sound- Proof as more usable and the majority would be willing to use Sound-Proof even for scenarios in which two-factor authentication is optional.

Available Media

Android Permissions Remystified: A Field Study on Contextual Integrity

Primal Wijesekera, University of British Columbia; Arjun Baokar, Ashkan Hosseini, Serge Egelman, and David Wagner, University of California, Berkeley; Konstantin Beznosov, University of British Columbia

We instrumented the Android platform to collect data regarding how often and under what circumstances smartphone applications access protected resources regulated by permissions. We performed a 36-person field study to explore the notion of “contextual integrity,” i.e., how often applications access protected resources when users are not expecting it. Based on our collection of 27M data points and exit interviews with participants, we examine the situations in which users would like the ability to deny applications access to protected resources. At least 80% of our participants would have preferred to prevent at least one permission request, and overall, they stated a desire to block over a third of all requests. Our findings pave the way for future systems to automatically determine the situations in which users would want to be confronted with security decisions.

Available Media

Invited Talk

Lexington/Bunker Hill

Preventing Security Bugs through Software Design

11:00 am-12:30 pm

Christoph Kern, Google

Many security bugs, such as Cross-Site-Scripting (XSS), SQL injection, buffer overruns, etc, are in isolation relatively straightforward to understand and avoid. Nevertheless, it tends to be surprisingly hard to prevent their introduction in large-scale software development: Large pieces of software have many code sites where such a bug could be potentially introduced, and large systems make it difficult to identify bugs once they exist.

Many security bugs, such as Cross-Site-Scripting (XSS), SQL injection, buffer overruns, etc, are in isolation relatively straightforward to understand and avoid. Nevertheless, it tends to be surprisingly hard to prevent their introduction in large-scale software development: Large pieces of software have many code sites where such a bug could be potentially introduced, and large systems make it difficult to identify bugs once they exist.

This talk describes our approach to preventing the introduction of certain classes of security bugs in large-scale software development projects at Google. We present design patterns to confine the potential for XSS vulnerabilities to a very small, manually auditable fraction of an application's code base. These patterns have been applied to several of Google's flagship services and their underlying web application frameworks, and have resulted in a drastic reduction of XSS bugs observed. We will discuss the applicability of bug-prevention approaches based on framework and API design to other vulnerabilities classes such as SQL injection, and close with observations on the practicality of their integration into real-world, large scale software development projects.

Christoph Kern has been an Information Security Engineer at Google since 2003. Since 2012, he has been leading a team focused on the prevention and mitigation of security vulnerabilities in Google's applications and services through framework, API, and platform design. Christoph is a founding contributor to the IEEE Computer Society Center for Secure Design, and serves on the CSD's steering committee.

Available Media

  • Read more about Preventing Security Bugs through Software Design
12:30 pm–2:00 pm Thursday

Lunch (on your own)

2:00 pm–3:30 pm Thursday

PELCGB

Refereed Papers I
Regency A

Session Chair: Elaine Shi, University of Maryland, College Park

Phasing: Private Set Intersection Using Permutation-based Hashing

Benny Pinkas, Bar-Ilan University; Thomas Schneider, Technische Universität Darmstadt; Gil Segev, The Hebrew University of Jerusalem; Michael Zohner, Technische Universität Darmstadt

Private Set Intersection (PSI) allows two parties to compute the intersection of private sets while revealing nothing more than the intersection itself. PSI needs to be applied to large data sets in scenarios such as measurement of ad conversion rates, data sharing, or contact discovery. Existing PSI protocols do not scale up well, and therefore some applications use insecure solutions instead.

We describe a new approach for designing PSI protocols based on permutation-based hashing, which enables to reduce the length of items mapped to bins while ensuring that no collisions occur. We denote this approach as Phasing, for Permutation-based Hashing Set Intersection. Phasing can dramatically improve the performance of PSI protocols whose overhead depends on the length of the representations of input items.

We apply Phasing to design a new approach for circuit-based PSI protocols. The resulting protocol is up to 5 times faster than the previously best Sort-Compare- Shuffle circuit of Huang et al. (NDSS 2012). We also apply Phasing to the OT-based PSI protocol of Pinkas et al. (USENIX Security 2014), which is the fastest PSI protocol to date. Together with additional improvements that reduce the computation complexity by a logarithmic factor, the resulting protocol improves run-time by a factor of up to 20 and can also have similar communication overhead as the previously best PSI protocol in that respect. The new protocol is only moderately less efficient than an insecure PSI protocol that is currently used by real-world applications, and is therefore the first secure PSI protocol that is scalable to the demands and the constraints of current real-world settings.

Available Media

Faster Secure Computation through Automatic Parallelization

Niklas Buescher and Stefan Katzenbeisser, Technische Universität Darmstadt

Secure two-party computation (TPC) based on Yao’s garbled circuits has seen a lot of progress over the past decade. Yet, compared with generic computation, TPC is still multiple orders of magnitude slower. To improve the efficiency of secure computation based on Yao’s protocol, we propose a practical parallelization scheme. Its advances over existing parallelization approaches are twofold. First, we present a compiler that detects parallelism at the source code level and automatically transforms C code into parallel circuits. Second, by switching the roles of circuit generator and evaluator between both computing parties in the semi-honest model, our scheme makes better use of computation and network resources. This inter-party parallelization approach leads to significant efficiency increases already on single-core hardware without compromising security. Multiple implementations illustrate the practicality of our approach. For instance, we report speed-ups of up to 2.18 on 2 cores and 4.36 on 4 cores for the example application of parallel modular exponentiation.

Available Media

The Pythia PRF Service

Adam Everspaugh and Rahul Chaterjee, University of Wisconsin—Madison; Samuel Scott, University of London; Ari Juels and Thomas Ristenpart,  Cornell Tech

Conventional cryptographic services such as hardware-security modules and software-based keymanagement systems offer the ability to apply a pseudorandom function (PRF) such as HMAC to inputs of a client’s choosing. These services are used, for example, to harden stored password hashes against offline brute-force attacks.

We propose a modern PRF service called PYTHIA designed to offer a level of flexibility, security, and easeof- deployability lacking in prior approaches. The keystone of PYTHIA is a new cryptographic primitive called a verifiable partially-oblivious PRF that reveals a portion of an input message to the service but hides the rest. We give a construction that additionally supports efficient bulk rotation of previously obtained PRF values to new keys. Performance measurements show that our construction, which relies on bilinear pairings and zero-knowledge proofs, is highly practical. We also give accompanying formal definitions and proofs of security.

We implement PYTHIA as a multi-tenant, scalable PRF service that can scale up to hundreds of millions of distinct client applications on commodity systems. In our prototype implementation, query latencies are 15 ms in local-area settings and throughput is within a factor of two of a standard HTTPS server. We further report on implementations of two applications using PYTHIA, showing how to bring its security benefits to a new enterprise password storage system and a new brainwallet system for Bitcoin.

Available Media

And the Hackers Gonna Hack, Hack, Hack, Hack, Hack

Refereed Papers II
Regency BCD

Session Chair: Nicolas Christin, Carnegie Mellon University

EVILCOHORT: Detecting Communities of Malicious Accounts on Online Services

2:00 pm-3:30 pm

Gianluca Stringhini, University College London; Pierre Mourlanne, University of California, Santa Barbara; Gregoire Jacob, Lastline Inc.; Manuel Egele, Boston University; Christopher Kruegel and Giovanni Vigna, University of California, Santa Barbara

Cybercriminals misuse accounts on online services (e.g., webmails and online social networks) to perform malicious activity, such as spreading malicious content or stealing sensitive information. In this paper, we show that accounts that are accessed by botnets are a popular choice by cybercriminals. Since botnets are composed of a finite number of infected computers, we observe that cybercriminals tend to have their bots connect to multiple online accounts to perform malicious activity.

We present EVILCOHORT, a system that detects online accounts that are accessed by a common set of infected machines. EVILCOHORT only needs the mapping between an online account and an IP address to operate, and can therefore detect malicious accounts on any online service (webmail services, online social networks, storage services) regardless of the type of malicious activity that these accounts perform. Unlike previous work, our system can identify malicious accounts that are controlled by botnets but do not post any malicious content (e.g., spam) on the service. We evaluated EVILCOHORT on multiple online services of different types (a webmail service and four online social networks), and show that it accurately identifies malicious accounts.

Available Media

Trends and Lessons from Three Years Fighting Malicious Extensions

Nav Jagpal, Eric Dingle, Jean-Philippe Gravel, Panayiotis Mavrommatis, Niels Provos, Moheeb Abu Rajab, and Kurt Thomas, Google

In this work we expose wide-spread efforts by criminals to abuse the Chrome Web Store as a platform for distributing malicious extensions. A central component of our study is the design and implementation of WebEval, the first system that broadly identifies malicious extensions with a concrete, measurable detection rate of 96.5%. Over the last three years we detected 9,523 malicious extensions: nearly 10% of every extension submitted to the store. Despite a short window of operation—we removed 50% of malware within 25 minutes of creation— a handful of under 100 extensions escaped immediate detection and infected over 50 million Chrome users. Our results highlight that the extension abuse ecosystem is drastically different from malicious binaries: miscreants profit from web traffic and user tracking rather than email spam or banking theft.

Available Media

Meerkat: Detecting Website Defacements through Image-based Object Recognition

Kevin Borgolte, Christopher Kruegel, and Giovanni Vigna, University of California, Santa Barbara

Website defacements and website vandalism can inflict significant harm on the website owner through the loss of sales, the loss in reputation, or because of legal ramifications.

Prior work on website defacements detection focused on detecting unauthorized changes to the web server, e.g., via host-based intrusion detection systems or file-based integrity checks. However, most prior approaches lack the capabilities to detect the most prevailing defacement techniques used today: code and/or data injection attacks, and DNS hijacking. This is because these attacks do not actually modify the code or configuration of the website, but instead they introduce new content or redirect the user to a different website.

In this paper, we approach the problem of defacement detection from a different angle: we use computer vision techniques to recognize if a website was defaced, similarly to how a human analyst decides if a website was defaced when viewing it in a web browser. We introduce MEERKAT, a defacement detection system that requires no prior knowledge about the website’s content or its structure, but only its URL. Upon detection of a defacement, the system notifies the website operator that his website is defaced, who can then take appropriate action. To detect defacements, MEERKAT automatically learns high-level features from screenshots of defaced websites by combining recent advances in machine learning, like stacked autoencoders and deep neural networks, with techniques from computer vision. These features are then used to create models that allow for the detection of newly-defaced websites.

We show the practicality ofMEERKAT on the largest website defacement dataset to date, comprising of 10,053,772 defacements observed between January 1998 and May 2014, and 2,554,905 legitimate websites. Overall, MEERKAT achieves true positive rates between 97.422% and 98.816%, false positive rates between 0.547% and 1.528%, and Bayesian detection rates between 98.583% and 99.845%, thus significantly outperforming existing approaches.

Available Media

Invited Talk

Lexington/Bunker Hill

Using Formal Methods to Eliminate Exploitable Bugs

2:00 pm-3:30 pm

Kathleen Fisher, Tufts University

For decades, formal methods have offered the promise of software that doesn’t have exploitable bugs. Until recently, however, it hasn’t been possible to verify software of sufficient complexity to be useful. Recently, that situation has changed. SeL4 is an open-source operating system microkernel efficient enough to be used in a wide range of practical applications. It has been proven to be fully functionally correct, ensuring the absence of buffer overflows, null pointer exceptions, use-after-free errors, etc., and to enforce integrity and confidentiality properties. The CompCert Verifying C Compiler maps source C programs to provably equivalent assembly language, ensuring the absence of exploitable bugs in the compiler.

For decades, formal methods have offered the promise of software that doesn’t have exploitable bugs. Until recently, however, it hasn’t been possible to verify software of sufficient complexity to be useful. Recently, that situation has changed. SeL4 is an open-source operating system microkernel efficient enough to be used in a wide range of practical applications. It has been proven to be fully functionally correct, ensuring the absence of buffer overflows, null pointer exceptions, use-after-free errors, etc., and to enforce integrity and confidentiality properties. The CompCert Verifying C Compiler maps source C programs to provably equivalent assembly language, ensuring the absence of exploitable bugs in the compiler. A number of factors have enabled this revolution in the formal methods community, including increased processor speed, better infrastructure like the Isabelle/HOL and Coq theorem provers, specialized logics for reasoning about low-level code, increasing levels of automation afforded by tactic languages and SAT/SMT solvers, and the decision to move away from trying to verify existing artifacts and instead focus on co-developing the code and the correctness proof. In this talk I will explore the promise and limitations of current formal methods techniques for producing useful software that provably does not contain exploitable bugs. I will discuss these issues in the context of DARPA’s HACMS program, which has as its goal the creation of high-assurance software for vehicles, including quad-copters, helicopters, and automobiles.

Kathleen Fisher is Professor in the Computer Science Department at Tufts University. Previously, she was a Principal Member of the Technical Staff at AT&T Labs Research, a Consulting Faculty Member in the Computer Science Department at Stanford University, and a program manager at DARPA where she started and managed the HACMS and PPAML programs. Kathleen's research focuses on advancing the theory and practice of programming languages and on applying ideas from the programming language community to the problem of ad hoc data management. The main thrust of her work has been in domain-specific languages to facilitate programming with massive amounts of ad hoc data. Kathleen is an ACM Fellow. She has served as program chair for FOOL, ICFP, CUFP, and OOPSLA. Kathleen is past Chair of the ACM Special Interest Group in Programming Languages (SIGPLAN), past Co-Chair of CRA's Committee on the Status of Women (CRA-W), a former editor of the Journal of Functional Programming, and an associated editor of TOPLAS.

Available Media

  • Read more about Using Formal Methods to Eliminate Exploitable Bugs
3:30 pm–4:00 pm Thursday

Break with Refreshments

Hall of Battles

4:00 pm–5:30 pm Thursday

It's a Binary Joke: Either You Get It, or You Don't

Refereed Papers I
Regency A

Session Chair: Taesoo Kim, Georgia Institute of Technology

Recognizing Functions in Binaries with Neural Networks

Eui Chul Richard Shin, Dawn Song, and Reza Moazzezi, University of California, Berkeley

Binary analysis facilitates many important applications like malware detection and automatically fixing vulnerable software. In this paper, we propose to apply artificial neural networks to solve important yet difficult problems in binary analysis. Specifically, we tackle the problem of function identification, a crucial first step in many binary analysis techniques. Although neural networks have undergone a renaissance in the past few years, achieving breakthrough results in multiple application domains such as visual object recognition, language modeling, and speech recognition, no researchers have yet attempted to apply these techniques to problems in binary analysis. Using a dataset from prior work, we show that recurrent neural networks can identify functions in binaries with greater accuracy and efficiency than the state-of-the-art machine-learning-based method. We can train the model an order of magnitude faster and evaluate it on binaries hundreds of times faster. Furthermore, it halves the error rate on six out of eight benchmarks, and performs comparably on the remaining two.

Available Media

Reassembleable Disassembling

Shuai Wang, Pei Wang, and Dinghao Wu, The Pennsylvania State University

Reverse engineering has many important applications in computer security, one of which is retrofitting software for safety and security hardening when source code is not available. By surveying available commercial and academic reverse engineering tools, we surprisingly found that no existing tool is able to disassemble executable binaries into assembly code that can be correctly assembled back in a fully automated manner, even for simple programs. Actually in many cases, the resulted disassembled code is far from a state that an assembler accepts, which is hard to fix even by manual effort. This has become a severe obstacle. People have tried to overcome it by patching or duplicating new code sections for retrofitting of executables, which is not only inefficient but also cumbersome and restrictive on what retrofitting techniques can be applied to.

In this paper, we present UROBOROS, a tool that can disassemble executables to the extent that the generated code can be assembled back to working binaries without manual effort. By empirically studying 244 binaries, we summarize a set of rules that can make the disassembled code relocatable, which is the key to reassembleable disassembling. With UROBOROS, the disassembly-reassembly process can be repeated thousands of times. We have implemented a prototype of UROBOROS and tested over the whole set of GNU Coreutils, SPEC2006, and a set of other real-world application and server programs. The experiment results show that our tool is effective with a very modest cost.

Available Media

How the ELF Ruined Christmas

Alessandro Di Federico, University of California, Santa Barbara and Politecnico di Milano; Amat Cama, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna, University of California, Santa Barbara

Throughout the last few decades, computer software has experienced an arms race between exploitation techniques leveraging memory corruption and detection/protection mechanisms. Effective mitigation techniques, such as Address Space Layout Randomization, have significantly increased the difficulty of successfully exploiting a vulnerability. A modern exploit is often two-stage: a first information disclosure step to identify the memory layout, and a second step with the actual exploit. However, because of the wide range of conditions under which memory corruption occurs, retrieving memory layout information from the program is not always possible.

In this paper, we present a technique that uses the dynamic loader’s ability to identify the locations of critical functions directly and call them, without requiring an information leak. We identified several fundamental weak points in the design of ELF standard and dynamic loader implementations that can be exploited to resolve and execute arbitrary library functions. Through these, we are able to bypass specific security mitigation techniques, including partial and full RELRO, which are specifically designed to protect ELF data-structures from being coopted by attackers. We implemented a prototype tool, Leakless, and evaluated it against different dynamic loader implementations, previous attack techniques, and reallife case studies to determine the impact of our findings. Among other implications, Leakless provides attackers with reliable and non-invasive attacks, less likely to trigger intrusion detection systems.

Available Media

Let's Get Ethical, Ethical

Regency BCD

Session Chair: Alex Halderman, University of Michigan

Panel on Research Ethics

Panelists: Michael Bailey, University of Illinois at Urbana-Champaign; Erin Kenneally, University of California, San Diego and Elchemy, Inc.; Niels Provos, Google; Stuart Schechter, Microsoft Research

  • Read more about Panel on Research Ethics

Invited Talk

Lexington/Bunker Hill

Perspectives on Securing Cyberspace

4:00 pm-5:30 pm

Deborah A. Frincke, National Security Agency/Central Security Service

Cybersecurity research within the National Security Agency/Central Security Service Research Directorate is a complex, mission-driven effort that must take into account multiple perspectives from information assurance, intelligence, and U.S. Cyber Command. The Research Directorate’s efforts into securing cyberspace must provide scientific advantages for NSA’s major missions, protect civil liberties, and implement transparency and privacy protections.

There are numerous facets to the Research Directorate’s cybersecurity research including developing a security for IoT devices, building a basic science of security, and cyber resilience. Other research that ties into the cybersecurity space includes low-power computing, neuromorphic computing, visual analytics, and high-speed stream processing.

This talk will provide a high-level overview of the National Security Agency/Central Security Service Research Directorate, including a short discussion of the process of the intelligence analysis mission, and highlight some of the directorate’s current research projects in cybersecurity and related fields. As part of her “dive” into cybersecurity, Dr. Frincke will also discuss current challenges in cybersecurity.

Cybersecurity research within the National Security Agency/Central Security Service Research Directorate is a complex, mission-driven effort that must take into account multiple perspectives from information assurance, intelligence, and U.S. Cyber Command. The Research Directorate’s efforts into securing cyberspace must provide scientific advantages for NSA’s major missions, protect civil liberties, and implement transparency and privacy protections.

There are numerous facets to the Research Directorate’s cybersecurity research including developing a security for IoT devices, building a basic science of security, and cyber resilience. Other research that ties into the cybersecurity space includes low-power computing, neuromorphic computing, visual analytics, and high-speed stream processing.

This talk will provide a high-level overview of the National Security Agency/Central Security Service Research Directorate, including a short discussion of the process of the intelligence analysis mission, and highlight some of the directorate’s current research projects in cybersecurity and related fields. As part of her “dive” into cybersecurity, Dr. Frincke will also discuss current challenges in cybersecurity.

Dr. Deborah Frincke currently leads the Research Directorate of the National Security Agency/Central Security Service (NSA/CSS), the only “in-house” research organization in the U.S. Intelligence Community to create breakthroughs in mathematics, science, and engineering that support and enable the NSA/CSS. Under her guidance, the Research Directorate recruits personnel and maintains faculties that are world-class in fields as diverse as mathematics, computer science, cybersecurity/trustworthy computing, engineering, physics, neuroscience, cognitive psychology and linguistics. The Research Directorate engages with leading industries, universities, and national laboratories to both advance core competencies and to leverage work in overlapping disciplines. Dr. Frincke recently transitioned to the Research Directorate after leading global education and training for the NSA/CSS as Associate Director for Education and Training (ADET). While leading ADET, Dr. Frincke also served as Commandant of the National Cryptologic School and as the NSA/CSS Training Director.

Prior to joining NSA/CSS, Dr. Frincke had a threefold career encompassing academia, the Department of Energy National Laboratory system, and private industry. A nationally-recognized expert and well-cited author, she has published over 100 articles and technical reports, and she continues to speak nationally on topics from leadership to cybersecurity. She also co-leads the Basic Training Board for IEEE Security and Privacy magazine. Past professional service includes leadership and participation on numerous scientific program committees and editorial boards, such as the Journal of Computer Security, and organizational boards, including the Networking and Information Technology Research and Development Program and National Intelligence Science and Technology Committee. She is a Senior Member of IEEE and an affiliate Full Professor with the Information School at the University of Washington.

Available Media

  • Read more about Perspectives on Securing Cyberspace
6:00 pm–7:30 pm Thursday

USENIX Security '15 Poster Session and Happy Hour

Columbia Ballroom

Check out the cool new ideas and the latest preliminary research on display at the Poster Session and Happy Hour. Take part in discussions with your colleagues over complimentary drinks and snacks. Check out the list of accepted posters.

7:30 pm–9:30 pm Thursday

USENIX Security '15 Doctoral Colloquium

Regency A

What opportunities await security students graduating with a Ph.D.? On Thursday evening, students will have the opportunity to listen to informal panels of faculty and industrial researchers providing personal perspectives on their post-Ph.D. career search. Learn about the academic job search, the industrial research job search, research fund raising, dual-career challenges, life uncertainty, and other idiosyncrasies of the ivory tower. If you would like to speak in the Doctoral Colloquium, please email sec15dc@usenix.org.

 

Friday, August 14, 2015

8:00 am–8:30 am Friday

Continental Breakfast

Hall of Battles

8:30 am–9:00 am Friday

Lightning Talks for the One-Track Mind

Regency A and Regency BCD

We begin each day with a lightning talks session, offering a 60-second preview of the papers to be presented on the day. For authors, it’s an opportunity to provide more reasons why people should come to your talk. For attendees, it’s an opportunity to hear an elevator pitch for the papers you will have to miss today.

9:00 am–10:30 am Friday

Pain in the App

Refereed Papers I
Regency A

Session Chair: William Enck, North Carolina State University

Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale

Kai Chen, Chinese Academy of Sciences and Indiana University; Peng Wang, Yeonjoon Lee, Xiaofeng Wang, and Nan Zhang, Indiana University; Heqing Huang, The Pennsylvania State University; Wei Zou, Chinese Academy of Sciences; Peng Liu, The Pennsylvania State University

An app market’s vetting process is expected to be scalable and effective. However, today’s vetting mechanisms are slow and less capable of catching new threats. In our research, we found that a more powerful solution can be found by exploiting the way Android malware is constructed and disseminated, which is typically through repackaging legitimate apps with similar malicious components. As a result, such attack payloads often stand out from those of the same repackaging origin and also show up in the apps not supposed to relate to each other.

Based upon this observation, we developed a new technique, called MassVet, for vetting apps at a massive scale, without knowing what malware looks like and how it behaves. Unlike existing detection mechanisms, which often utilize heavyweight program analysis techniques, our approach simply compares a submitted app with all those already on a market, focusing on the difference between those sharing a similar UI structure (indicating a possible repackaging relation), and the commonality among those seemingly unrelated. Once public libraries and other legitimate code reuse are removed, such diff/common program components become highly suspicious. In our research, we built this “DiffCom” analysis on top of an efficient similarity comparison algorithm, which maps the salient features of an app’s UI structure or a method’s control-flow graph to a value for a fast comparison. We implemented MassVet over a stream processing engine and evaluated it nearly 1.2 million apps from 33 app markets around the world, the scale of Google Play. Our study shows that the technique can vet an app within 10 seconds at a low false detection rate. Also, it outperformed all 54 scanners in VirusTotal (NOD32, Symantec, McAfee, etc.) in terms of detection coverage, capturing over a hundred thousand malicious apps, including over 20 likely zero-day malware and those installed millions of times. A close look at these apps brings to light intriguing new observations: e.g., Google’s detection strategy and malware authors’ countermoves that cause the mysterious disappearance and reappearance of some Google Play apps.

Available Media

You Shouldn’t Collect My Secrets: Thwarting Sensitive Keystroke Leakage in Mobile IME Apps

Jin Chen and Haibo Chen, Shanghai Jiao Tong University; Erick Bauman and Zhiqiang Lin, The University of Texas at Dallas; Binyu Zang and Haibing Guan, Shanghai Jiao Tong University

IME (input method editor) apps are the primary means of interaction on mobile touch screen devices and thus are usually granted with access to a wealth of private user input. In order to understand the (in)security of mobile IME apps, this paper first performs a systematic study and uncovers that many IME apps may (intentionally or unintentionally) leak users’ sensitive data to the outside world (mainly due to the incentives of improving the user’s experience). To thwart the threat of sensitive information leakage while retaining the benefits of an improved user experience, this paper then proposes I-BOX, an app-transparent oblivious sandbox that minimizes sensitive input leakage by confining untrusted IME apps to predefined security policies. Several key challenges have to be addressed due to the proprietary and closed-source nature of most IME apps and the fact that an IME app can arbitrarily store and transform user input before sending it out. By designing system-level transactional execution, I-BOX works seamlessly and transparently with IME apps. Specifically, I-BOX first checkpoints an IME app’s state before the first keystroke of an input, monitors and analyzes the user’s input, and rolls back the state to the checkpoint if it detects the potential danger that sensitive input may be leaked. A proof of concept I-BOX prototype has been built for Android and tested with a set of popular IME apps. Experimental results show that I-BOX is able to thwart the leakage of sensitive input for untrusted IME apps, while incurring very small runtime overhead and little impact on user experience.

Available Media

Boxify: Full-fledged App Sandboxing for Stock Android

Michael Backes, Saarland University and Max Planck Institute for Software Systems (MPI-SWS); Sven Bugiel, Christian Hammer, Oliver Schranz, and  Philipp von Styp-Rekowsky, Saarland University

We present the first concept for full-fledged app sandboxing on stock Android. Our approach is based on application virtualization and process-based privilege separation to securely encapsulate untrusted apps in an isolated environment. In contrast to all related work on stock Android, we eliminate the necessity to modify the code of monitored apps, and thereby overcome existing legal concerns and deployment problems that rewriting-based approaches have been facing. We realize our concept as a regular Android app called Boxify that can be deployed without firmware modifications or root privileges. A systematic evaluation of Boxify demonstrates its capability to enforce established security policies without incurring a significant runtime performance overhead.

Available Media

Oh, What a Tangled Web We Weave

Refereed Papers II
Regency BCD

Session Chair: Franziska Roesner, University of Washington

Cookies Lack Integrity: Real-World Implications

Xiaofeng Zheng, Tsinghua University and Tsinghua National Laboratory for Information Science and Technology; Jian Jiang, University of California, Berkeley; Jinjin Liang, Tsinghua University and Tsinghua National Laboratory for Information Science and Technology; Haixin Duan, Tsinghua University, Tsinghua National Laboratory for Information Science and Technology, and International Computer Science Institute; Shuo Chen, Microsoft Research Redmond; Tao Wan, Huawei Canada; Nicholas Weaver, International Computer Science Institute and University of California, Berkeley

A cookie can contain a “secure” flag, indicating that it should be only sent over an HTTPS connection. Yet there is no corresponding flag to indicate how a cookie was set: attackers who act as a man-in-the-middle even temporarily on an HTTP session can inject cookies which will be attached to subsequent HTTPS connections. Similar attacks can also be launched by a web attacker from a related domain. Although an acknowledged threat, it has not yet been studied thoroughly. This paper aims to fill this gap with an in-depth empirical assessment of cookie injection attacks. We find that cookie-related vulnerabilities are present in important sites (such as Google and Bank of America), and can be made worse by the implementation weaknesses we discovered in major web browsers (such as Chrome, Firefox, and Safari). Our successful attacks have included privacy violation, online victimization, and even financial loss and account hijacking. We also discuss mitigation strategies such as HSTS, possible browser changes, and present a proof-of-concept browser extension to provide better cookie isolation between HTTP and HTTPS, and between related domains.

Available Media

The Unexpected Dangers of Dynamic JavaScript

Sebastian Lekies, Ruhr-University Bochum; Ben Stock, Friedrich-Alexander-Universität Erlangen-Nürnberg; Martin Wentzel and Martin Johns, SAP SE

Modern Web sites frequently generate JavaScript on-the-fly via server-side scripting, incorporating personalized user data in the process. In general, cross-domain access to such sensitive resources is prevented by the Same- Origin Policy. The inclusion of remote scripts via the HTML script tag, however, is exempt from this policy. This exemption allows an adversary to import and execute dynamically generated scripts while a user visits an attacker-controlled Web site. By observing the execution behavior and the side effects the inclusion of the dynamic script causes, the attacker is able to leak private user data leading to severe consequences ranging from privacy violations up to full compromise of user accounts.

Although this issues has been known for several years under the term Cross-Site Script Inclusion, it has not been analyzed in-depth on the Web. Therefore, to systematically investigate the issue, we conduct a study on its prevalence in a set of 150 top-ranked domains. We observe that a third of the surveyed sites utilize dynamic JavaScript. After evaluating the effectiveness of the deployed countermeasures, we show that more than 80% of the sites are susceptible to attacks via remote script inclusion. Given the results of our study, we provide a secure and functionally equivalent alternative to the use of dynamic scripts.

Available Media

ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities

Michael Weissbacher, William Robertson, and Engin Kirda, Northeastern University; Christopher Kruegel and Giovanni Vigna, University of California, Santa Barbara

Modern web applications are increasingly moving program code to the client in the form of JavaScript. With the growing adoption of HTML5 APIs such as <code>postMessage</code>, client-side validation (CSV) vulnerabilities are consequently becoming increasingly important to address as well. However, while detecting and preventing attacks against web applications is a well-studied topic on the server, considerably less work has been performed for the client. Exacerbating this issue is the problem that defenses against CSVs must, in the general case, fundamentally exist in the browser, rendering current server-side defenses inadequate.

In this paper, we present ZigZag, a system for hardening JavaScript-based web applications against clientside validation attacks. ZigZag transparently instruments client-side code to perform dynamic invariant detection on security-sensitive code, generating models that describe how—and with whom—client-side components interact. ZigZag is capable of handling templated JavaScript, avoiding full re-instrumentation when JavaScript programs are structurally similar. Learned invariants are then enforced through a subsequent instrumentation step. Our evaluation demonstrates that ZigZag is capable of automatically hardening client-side code against both known and previously-unknown vulnerabilities. Finally, we show that ZigZag introduces acceptable overhead in many cases, and is compatible with popular websites drawn from the Alexa Top 20 without developer or user intervention.

Available Media

10:30 am–11:00 am Friday

Break with Refreshments

Hall of Battles

11:00 am–12:30 pm Friday

The World's Address: An App That's Worn

Refereed Papers I
Regency A

Session Chair: Serge Egelman, University of California, Berkeley, and International Computer Science Institute

Anatomization and Protection of Mobile Apps’ Location Privacy Threats

Kassem Fawaz, Huan Feng, and Kang G. Shin, University of Michigan

Mobile users are becoming increasingly aware of the privacy threats resulting from apps’ access of their location. Few of the solutions proposed thus far to mitigate these threats have been deployed as they require either app or platform modifications. Mobile operating systems (OSes) also provide users with location access controls. In this paper, we analyze the efficacy of these controls in combating the location-privacy threats. For this analysis, we conducted the first location measurement campaign of its kind, analyzing more than 1000 free apps from Google Play and collecting detailed usage of location by more than 400 location-aware apps and 70 Advertisement and Analytics (A&A) libraries from more than 100 participants over a period ranging from 1 week to 1 year. Surprisingly, 70% of the apps and the A&A libraries pose considerable profiling threats even when they sporadically access the user’s location. Existing OS controls are found ineffective and inefficient in mitigating these threats, thus calling for a finer-grained location access control. To meet this need, we propose LP-Doctor, a light-weight user-level tool that allows Android users to effectively utilize the OS’s location access controls while maintaining the required app’s functionality as our user study (with 227 participants) shows.

Available Media

LinkDroid: Reducing Unregulated Aggregation of App Usage Behaviors

Huan Feng, Kassem Fawaz, and Kang G. Shin, University of Michigan

Usage behaviors of different smartphone apps capture different views of an individual’s life, and are largely independent of each other. However, in the current mobile app ecosystem, a curious party can covertly link and aggregate usage behaviors of the same user across different apps. We refer to this as unregulated aggregation of app usage behaviors. In this paper, we present a fresh perspective of unregulated aggregation, focusing on monitoring, characterizing and reducing the underlying linkability across apps. The cornerstone of our study is the Dynamic Linkability Graph (DLG) which tracks applevel linkability during runtime. We observed how DLG evolves on real-world users and identified real-world evidence of apps abusing IPCs and OS-level identifying information to establish linkability. Based on these observations, we propose a linkability-aware extension to current mobile operating systems, called LinkDroid,which provides runtime monitoring and mediation of linkability across different apps. LinkDroid is a client-side solution and compatible with the existing smartphone ecosystem. It helps end-users “sense” this emerging threat and provides them intuitive opt-out options.

Available Media

PowerSpy: Location Tracking Using Mobile Device Power Analysis

Yan Michalevsky, Aaron Schulman, Gunaa Arumugam Veerapandian, and Dan Boneh, Stanford University; Gabi Nakibly, National Research and Simulation Center/Rafael Ltd.

Modern mobile platforms like Android enable applications to read aggregate power usage on the phone. This information is considered harmless and reading it requires no user permission or notification. We show that by simply reading the phone’s aggregate power consumption over a period of a few minutes an application can learn information about the user’s location. Aggregate phone power consumption data is extremely noisy due to the multitude of components and applications that simultaneously consume power. Nevertheless, by using machine learning algorithms we are able to successfully infer the phone’s location. We discuss several ways in which this privacy leak can be remedied.

Available Media

ADDioS!

Refereed Papers II
Regency BCD

Session Chair: Stephen Checkoway, University of Illinois at Chicago

In the Compression Hornet’s Nest: A Security Study of Data Compression in Network Services

Giancarlo Pellegrino, Saarland University; Davide Balzarotti, Eurecom; Stefan Winter and Neeraj Suri, Technische Universität Darmstadt

In this paper, we investigate the current use of data compression in network services that are at the core of modern web-based applications. While compression reduces network traffic, if not properly implemented it may make an application vulnerable to DoS attacks. Despite the popularity of similar attacks in the past, such as zip bombs or XML bombs, current protocol specifications and design patterns indicate that developers are still mostly unaware of the proper way to handle compressed streams in protocols and web applications. In this paper, we show that denial of services due to improper handling of data compression is a persistent and widespread threat. In our experiments, we review three popular communication protocols and test 19 implementations against highly-compressed protocol messages. Based on the results of our analysis, we list 12 common pitfalls that we observed at the implementation, specification, and configuration levels. Additionally, we discuss a number of previously unknown resource exhaustion vulnerabilities that can be exploited to mount DoS attacks against popular network service implementations.

Available Media

Bohatei: Flexible and Elastic DDoS Defense

Seyed K. Fayaz, Yoshiaki Tobioka, and Vyas Sekar, Carnegie Mellon University; Michael Bailey, University of Illinois at Urbana-Champaign

DDoS defense today relies on expensive and proprietary hardware appliances deployed at fixed locations. This introduces key limitations with respect to flexibility (e.g., complex routing to get traffic to these “chokepoints”) and elasticity in handling changing attack patterns. We observe an opportunity to address these limitations using new networking paradigms such as softwaredefined networking (SDN) and network functions virtualization (NFV). Based on this observation, we design and implement Bohatei, a flexible and elastic DDoS defense system. In designing Bohatei, we address key challenges with respect to scalability, responsiveness, and adversary-resilience. We have implemented defenses for several DDoS attacks using Bohatei. Our evaluations show that Bohatei is scalable (handling 500 Gbps attacks), responsive (mitigating attacks within one minute), and resilient to dynamic adversaries.

Available Media

Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge

Bradley Reaves, University of Florida; Ethan Shernan, Georgia Institute of Technology; Adam Bates, University of Florida; Henry Carter, Georgia Institute of Technology; Patrick Traynor, University of Florida

The high price of incoming international calls is a common method of subsidizing telephony infrastructure in the developing world. Accordingly, international telephone system interconnects are regulated to ensure call quality and accurate billing. High call tariffs create a strong incentive to evade such interconnects and deliver costly international calls illicitly. Specifically, adversaries use VoIP-GSM gateways informally known as “simboxes” to receive incoming calls over wired data connections and deliver them into a cellular voice network through a local call that appears to originate from a customer’s phone. This practice is not only extremely profitable for simboxers, but also dramatically degrades network experience for legitimate customers, violates telecommunications laws in many countries, and results in significant revenue loss. In this paper, we present a passive detection technique for combating simboxes at a cellular base station. Our system relies on the raw voice data received by the tower during a call to distinguish errors in GSM transmission from the distinct audio artifacts caused by delivering the call over a VoIP link. Our experiments demonstrate that this approach is highly effective, and can detect 87% of real simbox calls in only 30 seconds of audio with no false positives. Moreover, we demonstrate that evading our detection across multiple calls is only possible with a small probability. In so doing, we demonstrate that fraud that degrades network quality and costs telecommunications billions of dollars annually can easily be detected and counteracted in real time.

Available Media

12:30 pm–2:00 pm Friday

Lunch (on your own)

2:00 pm–3:30 pm Friday

Attacks: I Won't Let You Down

Refereed Papers I
Regency A

Session Chair: Cynthia Irvine, Naval Postgraduate School

GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies

Mordechai Guri, Assaf Kachlon, Ofer Hasson, Gabi Kedma, Yisroel Mirsky, and Yuval Elovici, Ben-Gurion University of the Negev

Air-gapped networks are isolated, separated both logically and physically from public networks. Although the feasibility of invading such systems has been demonstrated in recent years, exfiltration of data from air-gapped networks is still a challenging task. In this paper we present GSMem, a malware that can exfiltrate data through an air-gap over cellular frequencies. Rogue software on an infected target computer modulates and transmits electromagnetic signals at cellular frequencies by invoking specific memory-related instructions and utilizing the multichannel memory architecture to amplify the transmission. Furthermore, we show that the transmitted signals can be received and demodulated by a rootkit placed in the baseband firmware of a nearby cellular phone. We present crucial design issues such as signal generation and reception, data modulation, and transmission detection. We implement a prototype of GSMem consisting of a transmitter and a receiver and evaluate its performance and limitations. Our current results demonstrate its efficacy and feasibility, achieving an effective transmission distance of 1-5.5 meters with a standard mobile phone. When using a dedicated, yet affordable hardware receiver, the effective distance reached over 30 meters.

For more information, watch the video GSMem Breaking The Air-Gap on YouTube.

Available Media

Thermal Covert Channels on Multi-core Platforms

Ramya Jayaram Masti, Devendra Rai, Aanjhan Ranganathan, Christian Müller, Lothar Thiele, and Srdjan Capkun, ETH Zürich

Side channels remain a challenge to information flow control and security in modern computing platforms. Resource partitioning techniques that minimise the number of shared resources among processes are often used to address this challenge. In this work, we focus on multicore platforms and we demonstrate that even seemingly strong isolation techniques based on dedicated cores can be circumvented through the use of thermal channels. Specifically, we show that the processor core temperature can be used both as a side channel as well as a covert communication channel even when the system implements strong spatial and temporal partitioning. Our experiments on an Intel Xeon server platform demonstrate covert thermal channels that achieve up to 12.5 bps and weak thermal side channels that can detect processes executed on neighbouring cores. This work therefore shows a limitation in the isolation that can be achieved on existing multi-core systems.

Available Media

Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors

Yunmok Son, Hocheol Shin, Dongkwan Kim, Youngseok Park, Juhwan Noh, Kibum Choi, Jungwoo Choi, and Yongdae Kim, Korea Advanced Institute of Science and Technology (KAIST)

Sensing and actuation systems contain sensors to observe the environment and actuators to influence it. However, these sensors can be tricked by maliciously fabricated physical properties. In this paper, we investigated whether an adversary could incapacitate drones equipped with Micro-Electro-Mechanical Systems (MEMS) gyroscopes using intentional sound noise. While MEMS gyroscopes are known to have resonant frequencies that degrade their accuracy, it is not known whether this property can be exploited maliciously to disrupt the operation of drones. 

We first tested 15 kinds of MEMS gyroscopes against sound noise and discovered the resonant frequencies of seven MEMS gyroscopes by scanning the frequencies under 30 kHz using a consumer-grade speaker. The standard deviation of the resonant output from those gyroscopes was dozens of times larger than that of the normal output. After analyzing a target drone’s flight control system, we performed real-world experiments and a software simulation to verify the effect of the crafted gyroscope output. Our real-world experiments showed that in all 20 trials, one of two target drones equipped with vulnerable gyroscopes lost control and crashed shortly after we started our attack. A few interesting applications and countermeasures are discussed at the conclusion of this paper.

Available Media

How Do You Secure a Cloud and Pin It Down?

Refereed Papers II
Regency BCD

Session Chair: Kevin Butler, University of Florida

Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches

Daniel Gruss, Raphael Spreitzer, and Stefan Mangard, Graz University of Technology

Recent work on cache attacks has shown that CPU caches represent a powerful source of information leakage. However, existing attacks require manual identification of vulnerabilities, i.e., data accesses or instruction execution depending on secret information. In this paper, we present Cache Template Attacks. This generic attack technique allows us to profile and exploit cache-based information leakage of any program automatically, without prior knowledge of specific software versions or even specific system information. Cache Template Attacks can be executed online on a remote system without any prior offline computations or measurements.

Cache Template Attacks consist of two phases. In the profiling phase, we determine dependencies between the processing of secret information, e.g., specific key inputs or private keys of cryptographic primitives, and specific cache accesses. In the exploitation phase, we derive the secret values based on observed cache accesses. We illustrate the power of the presented approach in several attacks, but also in a useful application for developers. Among the presented attacks is the application of Cache Template Attacks to infer keystrokes and—even more severe—the identification of specific keys on Linux and Windows user interfaces. More specifically, for lowercase only passwords, we can reduce the entropy per character from log2(26) = 4:7 to 1:4 bits on Linux systems. Furthermore, we perform an automated attack on the T-table- based AES implementation of OpenSSL that is as efficient as state-of-the-art manual cache attacks.

Available Media

A Placement Vulnerability Study in Multi-Tenant Public Clouds

Venkatanathan Varadarajan, University of Wisconsin—Madison; Yinqian Zhang, The Ohio State University; Thomas Ristenpart, Cornell Tech; Michael Swift, University of Wisconsin—Madison

Public infrastructure-as-a-service clouds, such as Amazon EC2, Google Compute Engine (GCE) and Microsoft Azure allow clients to run virtual machines (VMs) on shared physical infrastructure. This practice of multi-tenancy brings economies of scale, but also introduces the risk of sharing a physical server with an arbitrary and potentially malicious VM. Past works have demonstrated how to place a VM alongside a target victim (co-location) in early-generation clouds and how to extract secret information via side-channels. Although there have been numerous works on side-channel attacks, there have been no studies on placement vulnerabilities in public clouds since the adoption of stronger isolation technologies such as Virtual Private Clouds (VPCs).

We investigate this problem of placement vulnerabilities and quantitatively evaluate three popular public clouds for their susceptibility to co-location attacks. We find that adoption of new technologies (e.g., VPC) makes many prior attacks, such as cloud cartography, ineffective. We find new ways to reliably test for co-location across Amazon EC2, Google GCE, and Microsoft Azure. We also found ways to detect co-location with victim web servers in multi-tiered located behind a load balancer. 

We use our new co-residence tests and multiple customer accounts to launch VM instances under different strategies that seek to maximize the likelihood of co-residency. We find that it is much easier (10x higher success rate) and cheaper (up to $114 less) to achieve co-location in these three clouds when compared to a secure reference placement policy.

Keywords: co-location detection, multi-tenancy, cloud security

Available Media

A Measurement Study on Co-residence Threat inside the Cloud

Zhang Xu, College of William and Mary; Haining Wang, University of Delaware; Zhenyu Wu, NEC Laboratories America

As the most basic cloud service model, Infrastructure as a Service (IaaS) has been widely used for serving the evergrowing computing demand due to the prevalence of the cloud. Using pools of hypervisors within the cloud, IaaS can support a large number of Virtual Machines (VMs) and scale services in a highly dynamic manner. However, it is well-known that the VMs in IaaS are vulnerable to co-residence threat, which can be easily exploited to launch different malicious attacks. In this measurement study, we investigate how IaaS evolves in VM placement, network management, and Virtual Private Cloud (VPC), as well as the impact upon co-residence. Specifically, through intensive measurement probing, we first profile the dynamic environment of cloud instances inside the cloud. Then using real experiments, we quantify the impacts of VM placement and network management upon co-residence. Moreover, we explore VPC, which is a defensive network-based service of Amazon EC2 for security enhancement, from the routing perspective. On one hand, our measurement shows that VPC is widely used and can indeed suppress co-residence threat. On the other hand, we demonstrate a new approach to achieving co-residence in VPC, indicating that co-residence threat still exists in the cloud.

Available Media

3:30 pm–4:00 pm Friday

Break with Refreshments

Hall of Battles

4:00 pm–6:00 pm Friday

Knock Knock. Who's There? Icy. Icy Who? I See You Too

Refereed Papers I
Regency A

Session Chair: Thorsten Holz, Ruhr-Universität Bochum

Towards Discovering and Understanding Task Hijacking in Android

Chuangang Ren, The Pennsylvania State University; Yulong Zhang, Hui Xue, and Tao Wei, FireEye, Inc.; Peng Liu, The Pennsylvania State University

Android multitasking provides rich features to enhance user experience and offers great flexibility for app developers to promote app personalization. However, the security implication of Android multitasking remains under-investigated. With a systematic study of the complex tasks dynamics, we find design flaws of Android multitasking which make all recent versions of Android vulnerable to task hijacking attacks. We demonstrate proof-of-concept examples utilizing the task hijacking attack surface to implement UI spoofing, denialof- service and user monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user’s activities. We have collected and analyzed over 6.8 million apps from various Android markets. Our analysis shows that the task hijacking risk is prevalent. Since many apps depend on the current multitasking design, defeating task hijacking is not easy. We have notified the Android team about these issues and we discuss possible mitigation techniques in this paper.

Available Media

Cashtags: Protecting the Input and Display of Sensitive Data

Michael Mitchell and An-I Andy Wang, Florida State University; Peter Reiher, University of California, Los Angeles

Mobile computing is the new norm. As people feel increasingly comfortable computing in public places such as coffee shops and transportation hubs, the threat of exposing sensitive information increases. While solutions exist to guard the communication channels used by mobile devices, the visual channel remains largely open. Shoulder surfing is becoming a viable threat in a world where users are often surrounded by high-power cameras, and sensitive information can be extracted from images using only modest computing power. 

In response, we present Cashtags: a system to defend against attacks on mobile devices based on visual observations. The system allows users to safely access pieces of sensitive information in public by intercepting and replacing sensitive data elements with non-sensitive data elements before they are displayed on the screen. In addition, the system provides a means of computing with sensitive data in a non-observable way, while maintaining full functionality and legacy compatibility across applications.

Available Media

SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps

Jianjun Huang, Purdue University; Zhichun Li, Xusheng Xiao, and Zhenyu Wu, NEC Labs America; Kangjie Lu, Georgia Institute of Technology; Xiangyu Zhang, Purdue University; Guofei Jiang, NEC Labs America

While smartphones and mobile apps have been an essential part of our lives, privacy is a serious concern. Previous mobile privacy related research efforts have largely focused on predefined known sources managed by smartphones. Sensitive user inputs through UI (User Interface), another information source that may contain a lot of sensitive information, have been mostly neglected. 

In this paper, we examine the possibility of scalably detecting sensitive user inputs from mobile apps. In particular, we design and implement SUPOR, a novel static analysis tool that automatically examines the UIs to identify sensitive user inputs containing critical user data, such as user credentials, finance, and medical data. SUPOR enables existing privacy analysis approaches to be applied on sensitive user inputs as well. To demonstrate the usefulness of SUPOR, we build a system that detects privacy disclosures of sensitive user inputs by combining SUPOR with off-the-shelf static taint analysis We apply the system to 16,000 popular Android apps, and conduct a measurement study on the privacy disclosures. SUPOR achieves an average precision of 97.3% and an average recall of 97.3% for sensitive user input identification. SUPOR finds 355 apps with privacy disclosures and the false positive rate is 8.7%. We discover interesting cases related to national ID, username/password, credit card and health information.

Available Media

UIPicker: User-Input Privacy Identification in Mobile Applications

Yuhong Nan, Min Yang, Zhemin Yang, and Shunfan Zhou, Fudan University; Guofei Gu, Texas A&M University; Xiaofeng Wang, Indiana University Bloomington

Identifying sensitive user inputs is a prerequisite for privacy protection. When it comes to today’s program analysis systems, however, only those data that go through well-defined system APIs can be automatically labelled. In our research, we show that this conventional approach is far from adequate, as most sensitive inputs are actually entered by the user at an app’s runtime: in our research, we inspect 17, 425 top apps from Google Play, and find that 35.46% of them involve sensitive user inputs. Manually marking them involves a lot of effort, impeding a large-scale, automated analysis of apps for potential information leaks. To address this important issue, we present UIPicker, an adaptable framework for automatic identification of sensitive user inputs. UIPicker is designed to detect the semantic information within the application layout resources and program code, and further analyze it for the locations where security-critical information may show up. This approach can support a variety of existing security analysis on mobile apps. We further develop a runtime protection mechanism on top of the technique, which helps the user make informed decisions when her sensitive data is about to leave the device in an unexpected way. We evaluate our approach over 200 randomly selected popular apps on Google- Play. UIPicker is able to accurately label sensitive user inputs most of the time, with 93.6%precision and 90.1% recall.

Available Media

How Do You Solve a Problem Like M-al-ware?

Refereed Papers II
Regency BCD

Session Chair: Guofei Gu, Texas A&M University

Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents

Yang Liu, Armin Sarabi, Jing Zhang, and Parinaz Naghizadeh, University of Michigan; Manish Karir, QuadMetrics, Inc.; Michael Bailey, University of Illinois at Urbana-Champaign; Mingyan Liu, University of Michigan and QuadMetrics, Inc.

In this study we characterize the extent to which cyber security incidents, such as those referenced by Verizon in its annual Data Breach Investigations Reports (DBIR), can be predicted based on externally observable properties of an organization’s network. We seek to proactively forecast an organization’s breaches and to do so without cooperation of the organization itself. To accomplish this goal, we collect 258 externally measurable features about an organization’s network from two main categories: mismanagement symptoms, such as misconfigured DNS or BGP within a network, and malicious activity time series, which include spam, phishing, and scanning activity sourced from these organizations. Using these features we train and test a Random Forest (RF) classifier against more than 1,000 incident reports taken from the VERIS community database, Hackmageddon, and theWeb Hacking Incidents Database that cover events from mid-2013 to the end of 2014. The resulting classifier is able to achieve a 90% True Positive (TP) rate, a 10% False Positive (FP) rate, and an overall 90% accuracy.

Available Media

WebWitness: Investigating, Categorizing, and Mitigating Malware Download Paths

Terry Nelms, Damballa, Inc. and Georgia Institute of Technology; Roberto Perdisci, University of Georgia and Georgia Institute of Technology; Manos Antonakakis, Georgia Institute of Technology; Mustaque Ahamad, Georgia Institute of Technology and New York University Abu Dhabi

Most modern malware download attacks occur via the browser, typically due to social engineering and driveby downloads. In this paper, we study the “origin” of malware download attacks experienced by real network users, with the objective of improving malware download defenses. Specifically, we study the web paths followed by users who eventually fall victim to different types of malware downloads. To this end, we propose a novel incident investigation system, named WebWitness. Our system targets two main goals: 1) automatically trace back and label the sequence of events (e.g., visited web pages) preceding malware downloads, to highlight how users reach attack pages on the web; and 2) leverage these automatically labeled in-the-wild malware download paths to better understand current attack trends, and to develop more effective defenses.

We deployed WebWitness on a large academic network for a period of ten months, where we collected and categorized thousands of live malicious download paths. An analysis of this labeled data allowed us to design a new defense against drive-by downloads that rely on injecting malicious content into (hacked) legitimate web pages. For example, we show that by leveraging the incident investigation information output byWebWitness we can decrease the infection rate for this type of drive-by downloads by almost six times, on average, compared to existing URL blacklisting approaches.

Available Media

Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits

Carl Sabottke, Octavian Suciu, and Tudor Dumitraș, University of Maryland

In recent years, the number of software vulnerabilities discovered has grown significantly. This creates a need for prioritizing the response to new disclosures by assessing which vulnerabilities are likely to be exploited and by quickly ruling out the vulnerabilities that are not actually exploited in the real world. We conduct a quantitative and qualitative exploration of the vulnerability-related information disseminated on Twitter. We then describe the design of a Twitter-based exploit detector, and we introduce a threat model specific to our problem. In addition to response prioritization, our detection techniques have applications in risk modeling for cyber-insurance and they highlight the value of information provided by the victims of attacks.

Available Media

Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence

Mariano Graziano and Davide Canali, Eurecom; Leyla Bilge, Symantec Research Labs; Andrea Lanzi, Universitá degli Studi di Milano; Davide Balzarotti, Eurecom

Malware sandboxes are automated dynamic analysis systems that execute programs in a controlled environment. Within the large volumes of samples submitted every day to these services, some submissions appear to be different from others, and show interesting characteristics. For example, we observed that malware samples involved in famous targeted attacks – like the Regin APT framework or the recently disclosed malwares from the Equation Group – were submitted to our sandbox months or even years before they were detected in the wild. In other cases, the malware developers themselves interact with public sandboxes to test their creations or to develop a new evasion technique. We refer to similar cases as malware developments. 

In this paper, we propose a novel methodology to automatically identify malware development cases from the samples submitted to a malware analysis sandbox. The results of our experiments show that, by combining dynamic and static analysis with features based on the file submission, it is possible to achieve a good accuracy in automatically identifying cases of malware development. Our goal is to raise awareness on this problem and on the importance of looking at these samples from an intelligence and threat prevention point of view.

Available Media

Platinum Sponsors

Gold Sponsors

Silver Sponsors

Bronze Sponsors

General Sponsors

Media Sponsors & Industry Partners

Open Access Publishing Partner

© USENIX

  • Privacy Policy
  • Contact Us