Technical Sessions

Research on botnet mitigation has focused predominantly on methods to technically disrupt the commandand- control infrastructure. Much less is known about the effectiveness of large-scale efforts to clean up infected machines. We analyze longitudinal data from the sinkhole of Conficker, one the largest botnets ever seen, to assess the impact of what has been emerging as a best practice: national anti-botnet initiatives that support largescale cleanup of end user machines. It has been six years since the Conficker botnet was sinkholed. The attackers have abandoned it. Still, nearly a million machines remain infected. Conficker provides us with a unique opportunity to estimate cleanup rates, because there are relatively few interfering factors at work. This paper is the first to propose a systematic approach to transform noisy sinkhole data into comparative infection metrics and normalized estimates of cleanup rates. We compare the growth, peak, and decay of Conficker across countries. We find that institutional differences, such as ICT development or unlicensed software use, explain much of the variance, while the national anti-botnet centers have had no visible impact. Cleanup seems even slower than the replacement of machines running Windows XP. In general, the infected users appear outside the reach of current remediation practices. Some ISPs may have judged the neutralized botnet an insufficient threat to merit remediation. These machines can however be magnets for other threats — we find an overlap between GameoverZeus and Conficker infections. We conclude by reflecting on what this means for the future of botnet mitigation.

February 2011 saw the emergence of Silk Road, the first successful online anonymous marketplace, in which buyers and sellers could transact with anonymity properties far superior to those available in alternative online or offline means of commerce. Business on Silk Road, primarily involving narcotics trafficking, rapidly boomed, and competitors emerged. At the same time, law enforcement did not sit idle, and eventually managed to shut down Silk Road in October 2013 and arrest its operator. Far from causing the demise of this novel form of commerce, the Silk Road take-down spawned an entire, dynamic, online anonymous marketplace ecosystem, which has continued to evolve to this day. This paper presents a long-term measurement analysis of a large portion of this online anonymous marketplace ecosystem, including 16 different marketplaces, over more than two years (2013– 2015). By using long-term measurements, and combining our own data collection with publicly available previous efforts, we offer a detailed understanding of the growth of the online anonymous marketplace ecosystem. We are able to document the evolution of the types of goods being sold, and assess the effect (or lack thereof) of adversarial events, such as law enforcement operations or large-scale frauds, on the overall size of the economy. We also provide insights into how vendors are diversifying and replicating across marketplaces, and how vendor security practices (e.g., PGP adoption) are evolving. These different aspects help us understand how traditional, physical-world criminal activities are developing an online presence, in the same manner traditional commerce diversified online in the 1990s.

In 2014 DARPA launched the Cyber Grand Challenge: a competition that seeks to create automatic defensive systems capable of reasoning about flaws, formulating patches and deploying them on a network in real time. By acting at machine speed and scale, these technologies may someday overturn today’s attacker-dominated status quo. Just as the first autonomous ground vehicles fielded during DARPA’s 2004 Grand Challenge were not initially ready to take to the highways, the first generation of automated network defense systems will not be able to meaningfully compete against expert analysts or defend production networks. The Cyber Grand Challenge aims to give these groundbreaking prototypes a league of their own, allowing them to compete head-to-head to defend a network of bespoke software.

In this talk, I will describe the experimental setup, measurement, and results of the qualifying year of the DARPA Cyber Grand Challenge. I will cover in depth the DECREE platform, which was developed specifically for the first automated CTF competition, focusing on the experiments it enables, its relevance towards funded research in the computer security domain, and its accessibility to program analysis. On June 3rd, 2015, a 24-hour qualifying event will measure CGC systems in competition and help to select up to seven finalists. I will provide a statistical analysis of the results of the CGC qualifying round, including the visualization of successful automated defensive techniques, successes, failures, rates of efficacy, and other findings backed by post-event reverse engineering. Finally, I will close the talk with some initial thoughts regarding experimentation in the domain of adversarial automation.

Mike Walker joined DARPA as a program manager in January 2013. His research interests include machine reasoning about software in situ and the automation of application security lifecycles. Prior to joining DARPA, Mr. Walker worked in industry as a security software developer, Red Team analyst, enterprise security architect and research lab leader. As part of the Computer Science Corporation "Strikeforce” Red Team, Mr. Walker helped develop the HEAT Vulnerability Scanner and performed Red Team engagements. Serving as a principal at the Intrepidus Group, Mr. Walker worked on Red Teams that tested America's financial and energy infrastructure for security weaknesses. Also, on the DARPA SAFER Red Team, Mr. Walker discovered flaws in prototype communications technologies. Mr. Walker has participated in various roles in numerous applied computer security competitions. He contributed challenges to DEF CON Capture the Flag (CTF) and competed on and helped lead CTF teams at the highest levels of international competition. Mr. Walker was formerly a mentor of the Computer Security Competition Club at Thomas Jefferson High School for Science and Technology (TJHSST).

We present new biases in RC4, break the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP), and design a practical plaintext recovery attack against the Transport Layer Security (TLS) protocol. To empirically find new biases in the RC4 keystream we use statistical hypothesis tests. This reveals many new biases in the initial keystream bytes, as well as several new longterm biases. Our fixed-plaintext recovery algorithms are capable of using multiple types of biases, and return a list of plaintext candidates in decreasing likelihood. To break WPA-TKIP we introduce a method to generate a large number of identical packets. This packet is decrypted by generating its plaintext candidate list, and using redundant packet structure to prune bad candidates. From the decrypted packet we derive the TKIP MIC key, which can be used to inject and decrypt packets. In practice the attack can be executed within an hour. We also attack TLS as used by HTTPS, where we show how to decrypt a secure cookie with a success rate of 94% using 9•2²⁷ ciphertexts. This is done by injecting known data around the cookie, abusing this using Mantin’s ABSAB bias, and brute-forcing the cookie by traversing the plaintext candidates. Using our traffic generation technique, we are able to execute the attack in merely 75 hours.

We present eclipse attacks on bitcoin’s peer-to-peer network. Our attack allows an adversary controlling a sufficient number of IP addresses to monopolize all connections to and from a victim bitcoin node. The attacker can then exploit the victim for attacks on bitcoin’s mining and consensus system, including N-confirmation double spending, selfish mining, and adversarial forks in the blockchain. We take a detailed look at bitcoin’s peer-to-peer network, and quantify the resources involved in our attack via probabilistic analysis, Monte Carlo simulations, measurements and experiments with live bitcoin nodes. Finally, we present countermeasures, inspired by botnet architectures, that are designed to raise the bar for eclipse attacks while preserving the openness and decentralization of bitcoin’s current network architecture.

Security operations people worldwide continue to be overwhelmed by global malicious actors who enjoy an asymmetric advantage. In order to level the playing field, innovators continually create new capabilities that enable them to secure their information infrastructures more scalably and efficiently. Often times, these innovations can solve the same or similar problems in many other enterprises—representing an attractive business opportunity by addressing a large unmet need.

However, inserting these innovations into existing market ecosystems is significantly more challenging than simply packaging together a few lines of code and selling them. Rather, these technical innovators must often transform themselves into business leaders that embody marketing, finance and product management skill sets for which they may have had little or no formal training.

This talk will describe that transformation as technology-focused entrepreneurs with disruptive concepts can build companies that can attract the talent, capital, and customers required for their innovations to reach their intended markets.

Rick Gordon is an expert on security technology investing, business strategy and early-stage venture development. Rick currently serves as Managing Partner of Mach37™, the premier accelerator for cybersecurity entrepreneurs and startups. MACH37 launches companies that are delivering the next generation of cybersecurity solutions.

Prior to this role, Rick served as Vice President of Product Management at KEYW Corporation, COO of Lookingglass Cyber Solutions, Managing Director at The Civitas Group, CEO of Tovaris, and was a founding board member of Invincea.

User studies are critical to understanding how users perceive and interact with security and privacy software and features. However, conducting usable privacy and security studies is complicated. In some studies, researchers recruit participants to perform tasks not directly related to security so that they can observe how participants respond to security-related prompts or cues that occur while users are focused on primary tasks. Researchers also try to put users in situations where they believe their security or privacy is at risk, while at the same time making sure that participants will not actually suffer harm. When conducting usable security studies there are a lot of methodological details to get right, and studies don't always go quite as planned. In this talk I will offer a behind-the-scenes look at usable privacy and security study design and present lessons learned from over a decade of user studies at the CyLab Usable Privacy and Security Lab at Carnegie Mellon University.

Lorrie Faith Cranor is a Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. Cranor has authored over 150 research papers on online privacy, usable security, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O'Reilly 2002). She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In 2003 she was named one of the top 100 innovators 35 or younger by Technology Review magazine, and in 2014 she was named an ACM Fellow for her contributions to usable privacy and security research and education. She was previously a researcher at AT&T Labs Research and taught in the Stern School of Business at New York University. In 2012–13, Cranor spent her sabbatical year as a fellow in the Frank-Ratchye STUDIO for Creative Inquiry at Carnegie Mellon University, where she worked on fiber arts projects that combined her interests in privacy and security, quilting, computers, and technology. She practices yoga, plays soccer, and runs after her three children.

In a provenance-aware system, mechanisms gather and report metadata that describes the history of each object being processed on the system, allowing users to understand how data objects came to exist in their present state. However, while past work has demonstrated the usefulness of provenance, less attention has been given to securing provenance-aware systems. Provenance itself is a ripe attack vector, and its authenticity and integrity must be guaranteed before it can be put to use.

We present Linux Provenance Modules (LPM), the first general framework for the development of provenance-aware systems. We demonstrate that LPM creates a trusted provenance-aware execution environment, collecting complete whole-system provenance while imposing as little as 2.7% performance overhead on normal system operation. LPM introduces new mechanisms for secure provenance layering and authenticated communication between provenance-aware hosts, and also interoperates with existing mechanisms to provide strong security assurances. To demonstrate the potential uses of LPM, we design a Provenance-Based Data Loss Prevention (PB-DLP) system. We implement PBDLP as a file transfer application that blocks the transmission of files derived from sensitive ancestors while imposing just tens of milliseconds overhead. LPM is the first step towards widespread deployment of trustworthy provenance-aware applications.

Mandatory protection systems such as SELinux and SEAndroid harden operating system integrity. Unfortunately, policy development is error prone and requires lengthy refinement using audit logs from deployed systems. While prior work has studied SELinux policy in detail, SEAndroid is relatively new and has received little attention. SEAndroid policy engineering differs significantly from SELinux: Android fundamentally differs from traditional Linux; the same policy is used on millions of devices for which new audit logs are continually available; and audit logs contain a mix of benign and malicious accesses. In this paper, we propose EASEAndroid, the first SEAndroid analytic platform for automatic policy analysis and refinement. Our key insight is that the policy refinement process can be modeled and automated using semi-supervised learning. Given an existing policy and a small set of known access patterns, EASEAndroid continually expands the knowledge base as new audit logs become available, producing suggestions for policy refinement. We evaluate EASEAndroid on 1.3 million audit logs from real-world devices. EASEAndroid successfully learns 2,518 new access patterns and generates 331 new policy rules. During this process, EASEAndroid discovers eight categories of attack access patterns in real devices, two of which are new attacks directly against the SEAndroid MAC mechanism.

While we’re all furiously working on new techniques to automate the finding of weaknesses and even vulnerabilities in software, relatively few programmers in the real world are benefiting from our work. The reasons for this situation are myriad, ranging from lack of training, awareness, and economic incentives on the part of the users; complex and only partially useful tools on the part of the assurance tool developers; legal barriers to open reporting of software problems; a confusing regulatory landscape with few standards; and a lack of effective curriculum at most universities for students learning software skills.

As a step towards improving the state of software assurance tools in the marketplace and increasing the adoption of software assurance practices by programmers, the U.S. Department of Homeland Security funded a 5-year project to establish the Software Assurance Marketplace (SWAMP). The core service of the SWAMP is an open (free) facility where programmers can bring their software to be run against a large suite of both commercial and open source assessment tools. In addition, tool developers can use the SWAMP-developed resources to speed their tool developments, making it easier to compete with established research projects and commercial products. The SWAMP also serves as a resource for classroom instructors and for researchers studying the software assurance process.

I will discuss our experiences trying make an impact on the adoption of software assurance practices, the obstacles to making such an impact, and how the security research community (you!) can make this mission more effective.

Barton Miller is Professor of Computer Sciences at the University of Wisconsin. He is also Chief Scientist for the DHS Software Assurance Marketplace (SWAMP) research facility and co-directs the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona. He also leads the Paradyn Parallel Performance Tool project, which is investigating performance and instrumentation technologies for parallel and distributed applications and systems. His research interests include systems security, binary and malicious code analysis and instrumentation extreme scale systems, parallel and distributed program measurement and debugging, and mobile computing. Miller's research is supported by the U.S. Department of Homeland Security, U.S. Department of Energy, National Science Foundation, NATO, and various corporations.

In 1988, Miller founded the field of Fuzz random software testing, which is the foundation of many security and software engineering disciplines. In 1992, Miller (working with his then-student, Prof. Jeffrey Hollingsworth), founded the field of dynamic binary code instrumentation and coined the term "dynamic instrumentation." Dynamic instrumentation forms the basis for his current efforts in malware analysis and instrumentation.

Miller was the chair of the IDA Center for Computing Sciences Program Review Committee, a member of the Los Alamos National Laboratory Computing, Communications and Networking Division Review Committee, and has been on the U.S. Secret Service Electronic Crimes Task Force (Chicago Area). Miller is a Fellow of the ACM.

Oblivious RAM (ORAM) is a cryptographic primitive that hides memory access patterns as seen by untrusted storage. This paper proposes Ring ORAM, the most bandwidth-efficient ORAM scheme for the small client storage setting in both theory and practice. Ring ORAM is the first tree-based ORAM whose bandwidth is independent of the ORAM bucket size, a property that unlocks multiple performance improvements. First, Ring ORAM’s overall bandwidth is 2.3x to 4x better than Path ORAM, the prior-art scheme for small client storage. Second, if memory can perform simple untrusted computation, Ring ORAM achieves constant online bandwidth (~ 60x improvement over Path ORAM for practical parameters). As a case study, we show Ring ORAM speeds up program completion time in a secure processor by 1.5x relative to Path ORAM. On the theory side, Ring ORAM features a tighter and significantly simpler analysis than Path ORAM.

New big-data analysis platforms can enable distributed computation on encrypted data by utilizing trusted computing primitives available in commodity server hardware. We study techniques for ensuring privacy preserving computation in the popular MapReduce framework. In this paper, we first show that protecting only individual units of distributed computation (e.g. map and reduce units), as proposed in recent works, leaves several important channels of information leakage exposed to the adversary. Next, we analyze a variety of design choices in achieving a stronger notion of private execution that is the analogue of using a distributed oblivious-RAM (ORAM) across the platform. We develop a simple solution which avoids using the expensive ORAM construction, and incurs only an additive logarithmic factor of overhead to the latency. We implement our solution in a system called M²R, which enhances an existing Hadoop implementation, and evaluate it on seven standard MapReduce benchmarks. We show that it is easy to port most existing applications to M²R by changing fewer than 43 lines of code. M²R adds fewer than 500 lines of code to the TCB, which is less than 0:16% of the Hadoop codebase. M²R offers a factor of 1:3x to 44:6x lower overhead than extensions of previous solutions with equivalent privacy. M²R adds a total of 17% to 130% overhead over the insecure baseline solution that ignores the leakage channels M²R addresses.

Many security bugs, such as Cross-Site-Scripting (XSS), SQL injection, buffer overruns, etc, are in isolation relatively straightforward to understand and avoid. Nevertheless, it tends to be surprisingly hard to prevent their introduction in large-scale software development: Large pieces of software have many code sites where such a bug could be potentially introduced, and large systems make it difficult to identify bugs once they exist.

This talk describes our approach to preventing the introduction of certain classes of security bugs in large-scale software development projects at Google. We present design patterns to confine the potential for XSS vulnerabilities to a very small, manually auditable fraction of an application's code base. These patterns have been applied to several of Google's flagship services and their underlying web application frameworks, and have resulted in a drastic reduction of XSS bugs observed. We will discuss the applicability of bug-prevention approaches based on framework and API design to other vulnerabilities classes such as SQL injection, and close with observations on the practicality of their integration into real-world, large scale software development projects.

Christoph Kern has been an Information Security Engineer at Google since 2003. Since 2012, he has been leading a team focused on the prevention and mitigation of security vulnerabilities in Google's applications and services through framework, API, and platform design. Christoph is a founding contributor to the IEEE Computer Society Center for Secure Design, and serves on the CSD's steering committee.

For decades, formal methods have offered the promise of software that doesn’t have exploitable bugs. Until recently, however, it hasn’t been possible to verify software of sufficient complexity to be useful. Recently, that situation has changed. SeL4 is an open-source operating system microkernel efficient enough to be used in a wide range of practical applications. It has been proven to be fully functionally correct, ensuring the absence of buffer overflows, null pointer exceptions, use-after-free errors, etc., and to enforce integrity and confidentiality properties. The CompCert Verifying C Compiler maps source C programs to provably equivalent assembly language, ensuring the absence of exploitable bugs in the compiler. A number of factors have enabled this revolution in the formal methods community, including increased processor speed, better infrastructure like the Isabelle/HOL and Coq theorem provers, specialized logics for reasoning about low-level code, increasing levels of automation afforded by tactic languages and SAT/SMT solvers, and the decision to move away from trying to verify existing artifacts and instead focus on co-developing the code and the correctness proof. In this talk I will explore the promise and limitations of current formal methods techniques for producing useful software that provably does not contain exploitable bugs. I will discuss these issues in the context of DARPA’s HACMS program, which has as its goal the creation of high-assurance software for vehicles, including quad-copters, helicopters, and automobiles.

Kathleen Fisher is Professor in the Computer Science Department at Tufts University. Previously, she was a Principal Member of the Technical Staff at AT&T Labs Research, a Consulting Faculty Member in the Computer Science Department at Stanford University, and a program manager at DARPA where she started and managed the HACMS and PPAML programs. Kathleen's research focuses on advancing the theory and practice of programming languages and on applying ideas from the programming language community to the problem of ad hoc data management. The main thrust of her work has been in domain-specific languages to facilitate programming with massive amounts of ad hoc data. Kathleen is an ACM Fellow. She has served as program chair for FOOL, ICFP, CUFP, and OOPSLA. Kathleen is past Chair of the ACM Special Interest Group in Programming Languages (SIGPLAN), past Co-Chair of CRA's Committee on the Status of Women (CRA-W), a former editor of the Journal of Functional Programming, and an associated editor of TOPLAS.

Binary analysis facilitates many important applications like malware detection and automatically fixing vulnerable software. In this paper, we propose to apply artificial neural networks to solve important yet difficult problems in binary analysis. Specifically, we tackle the problem of function identification, a crucial first step in many binary analysis techniques. Although neural networks have undergone a renaissance in the past few years, achieving breakthrough results in multiple application domains such as visual object recognition, language modeling, and speech recognition, no researchers have yet attempted to apply these techniques to problems in binary analysis. Using a dataset from prior work, we show that recurrent neural networks can identify functions in binaries with greater accuracy and efficiency than the state-of-the-art machine-learning-based method. We can train the model an order of magnitude faster and evaluate it on binaries hundreds of times faster. Furthermore, it halves the error rate on six out of eight benchmarks, and performs comparably on the remaining two.

Throughout the last few decades, computer software has experienced an arms race between exploitation techniques leveraging memory corruption and detection/protection mechanisms. Effective mitigation techniques, such as Address Space Layout Randomization, have significantly increased the difficulty of successfully exploiting a vulnerability. A modern exploit is often two-stage: a first information disclosure step to identify the memory layout, and a second step with the actual exploit. However, because of the wide range of conditions under which memory corruption occurs, retrieving memory layout information from the program is not always possible.

In this paper, we present a technique that uses the dynamic loader’s ability to identify the locations of critical functions directly and call them, without requiring an information leak. We identified several fundamental weak points in the design of ELF standard and dynamic loader implementations that can be exploited to resolve and execute arbitrary library functions. Through these, we are able to bypass specific security mitigation techniques, including partial and full RELRO, which are specifically designed to protect ELF data-structures from being coopted by attackers. We implemented a prototype tool, Leakless, and evaluated it against different dynamic loader implementations, previous attack techniques, and reallife case studies to determine the impact of our findings. Among other implications, Leakless provides attackers with reliable and non-invasive attacks, less likely to trigger intrusion detection systems.

Cybersecurity research within the National Security Agency/Central Security Service Research Directorate is a complex, mission-driven effort that must take into account multiple perspectives from information assurance, intelligence, and U.S. Cyber Command. The Research Directorate’s efforts into securing cyberspace must provide scientific advantages for NSA’s major missions, protect civil liberties, and implement transparency and privacy protections.

There are numerous facets to the Research Directorate’s cybersecurity research including developing a security for IoT devices, building a basic science of security, and cyber resilience. Other research that ties into the cybersecurity space includes low-power computing, neuromorphic computing, visual analytics, and high-speed stream processing.

This talk will provide a high-level overview of the National Security Agency/Central Security Service Research Directorate, including a short discussion of the process of the intelligence analysis mission, and highlight some of the directorate’s current research projects in cybersecurity and related fields. As part of her “dive” into cybersecurity, Dr. Frincke will also discuss current challenges in cybersecurity.

Dr. Deborah Frincke currently leads the Research Directorate of the National Security Agency/Central Security Service (NSA/CSS), the only “in-house” research organization in the U.S. Intelligence Community to create breakthroughs in mathematics, science, and engineering that support and enable the NSA/CSS. Under her guidance, the Research Directorate recruits personnel and maintains faculties that are world-class in fields as diverse as mathematics, computer science, cybersecurity/trustworthy computing, engineering, physics, neuroscience, cognitive psychology and linguistics. The Research Directorate engages with leading industries, universities, and national laboratories to both advance core competencies and to leverage work in overlapping disciplines. Dr. Frincke recently transitioned to the Research Directorate after leading global education and training for the NSA/CSS as Associate Director for Education and Training (ADET). While leading ADET, Dr. Frincke also served as Commandant of the National Cryptologic School and as the NSA/CSS Training Director.

Prior to joining NSA/CSS, Dr. Frincke had a threefold career encompassing academia, the Department of Energy National Laboratory system, and private industry. A nationally-recognized expert and well-cited author, she has published over 100 articles and technical reports, and she continues to speak nationally on topics from leadership to cybersecurity. She also co-leads the Basic Training Board for IEEE Security and Privacy magazine. Past professional service includes leadership and participation on numerous scientific program committees and editorial boards, such as the Journal of Computer Security, and organizational boards, including the Networking and Information Technology Research and Development Program and National Intelligence Science and Technology Committee. She is a Senior Member of IEEE and an affiliate Full Professor with the Information School at the University of Washington.