WORKSHOP PROGRAM ABSTRACTS

Visual Security Policy for the Web
Back to Program
Many web security vulnerabilities allow parts of a page to interact when they should be isolated. Such vulnerabilities can be mitigated by implementing protection boundaries between web page elements. Several methods exist for creating such boundaries, but existing methods require relatively sophisticated knowledge of web technologies. To make protection mechanisms available to a wider audience, we propose a simple web page security policy language, ViSP, modelled on mechanisms for specifying page layout. Here we characterise ViSP and describe a simple Firefox-based prototype that allows interactive, graphical specification of per-page security policies. We also show how these tools can be used to protect against cross-site scripting (XSS) attacks on common web applications.

Cybercasing the Joint: On the Privacy Implications of Geo-Tagging
Back to Program
This article aims to raise awareness of a rapidly emerging privacy threat that we term cybercasing: using geo-tagged information available online to mount real-world attacks. While users typically realize that sharing locations has some implications for their privacy, we provide evidence that many (i) are unaware of the full scope of the threat they face when doing so, and (ii) often do not even realize when they publish such information. The threat is elevated by recent developments that make systematic search for specific geo-located data and inference from multiple sources easier than ever before. In this paper, we summarize the state of geo-tagging; estimate the amount of geo-information available on several major sites, including YouTube, Twitter, and Craigslist; and examine its programmatic accessibility through public APIs. We then present a set of scenarios demonstrating how easy it is to correlate geo-tagged data with corresponding publicly-available information for compromising a victim's privacy. We were, e.g., able to find private addresses of celebrities as well as the origins of otherwise anonymized Craigslist postings. We argue that the security and privacy community needs to shape the further development of geo-location technology for better protecting users from such consequences.

On the Impossibility of Cryptography Alone for Privacy-Preserving Cloud Computing
Back to Program
Cloud computing denotes an architectural shift toward thin clients and conveniently centralized provision of computing resources. Clients' lack of direct resource control in the cloud prompts concern about the potential for data privacy violations, particularly abuse or leakage of sensitive information by service providers. Cryptography is an oft-touted remedy. Among its most powerful primitives is fully homomorphic encryption (FHE), dubbed by some the field's "Holy Grail," and recently realized as a fully functional construct with seeming promise for cloud privacy. We argue that cryptography alone can't enforce the privacy demanded by common cloud computing services, even with such powerful tools as FHE. We formally define a hierarchy of natural classes of private cloud applications, and show that no cryptographic protocol can implement those classes where data is shared among clients. We posit that users of cloud services will also need to rely on other forms of privacy enforcement, such as tamperproof hardware, distributed computing, and complex trust ecosystems.

Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks
Back to Program
We propose to strengthen user-selected passwords against statistical-guessing attacks by allowing users of Internet-scale systems to choose any password they want—so long as it's not already too popular with other users. We create an oracle to identify undesirably popular passwords using an existing data structure known as a count-min sketch, which we populate with existing users' passwords and update with each new user password. Unlike most applications of probabilistic data structures, which seek to achieve only a maximum acceptable rate false-positives, we set a minimum acceptable false-positive rate to confound attackers who might query the oracle or even obtain a copy of it.

Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine
Back to Program
Current OSes include many logical sharing techniques (shared library, symbolic link, etc.) on memory and storage. Unfortunately they cause security and management problems which come from the dynamic management of logical sharing; e.g., GOT (Global Offset Table) overwrite attack, TOCTOU (Time Of Check to Time Of Use) attack, DLL Hell, etc. This paper proposes that self-contained binaries eliminate the problems caused by logical sharing. The memory and storage overheads caused by self-contained binaries are mitigated by physical sharing (memory and disk deduplication). The effect of deduplication was investigated on the KVM virtual machine with KSM (Kernel Samepage Merging) and LBCAS (Loopback Content Addressable Storage).

Embedded Firmware Diversity for Smart Electric Meters
Back to Program
Smart meters are now being aggressively deployed worldwide, with tens of millions of meters in use today and hundreds of millions more to be deployed in the next few years. These low-cost (≅ $50) embedded devices have not fared well under security analysis: experience has shown that the majority of current devices that have come under scrutiny can be exploited by unsophisticated attackers. The potential for large-scale attacks that target a single or a few vulnerabilities is thus very real. In this paper, we consider how diversity techniques can limit large-scale attacks on smart meters. We show how current meter designs do not possess the architectural features needed to support existing diversity approaches such as address space randomization. In response, we posit a new return address encryption technique suited to the computationallly and resource limited smart meters. We conclude by considering analytically the effect of diversity on an attacker wishing to launch a large-scale attack, showing how a lightweight diversity scheme can force the time needed for a large compromise into the scale of years.

Evading Cellular Data Monitoring with Human Movement Networks
Back to Program
Cellular networks are centrally administered, enabling service providers and their governments to conduct system-wide monitoring and censorship of mobile communication. This paper presents HUMANETS, a fully decentralized, smartphone-to-smartphone (and hence human-to-human) message passing scheme that permits unmonitored message communication even when all cellular traffic is inspected. HUMANET message routing protocols exploit human mobility patterns to significantly increase communication efficiency while limiting the exposure of messages to mobile service providers. Initial results from trace-driven simulation show that 85% of messages reach their intended destinations while using orders of magnitude less network capacity than naïve epidemic flooding techniques.

Challenges in Access Right Assignment for Secure Home Networks
Back to Program
The proliferation of advanced technologies has been altering our lifestyle and social interactions—the next frontier is the digital home. Although the future of smart homes is promising, many technical challenges must be addressed to achieve convenience and security. In this paper, we delineate the unique combination of security challenges specifically for access control and consider the challenges of how to simply and securely assign access control policies to visitors for home devices and resources. As an initial approach, we present a set of intuitive access control policies and suggest four access control settings based on our in-person interview results. We anticipate that future research can build on our proposed mechanisms to provide confidence to non-expert home owners for letting visitors use their home network.

Scalable Anonymous Communication with Provable Security
Back to Program
A key problem in Tor's architecture is that it requires users to maintain a global view of the system, which will become costly as the size of the network increases. Several peer-to-peer approaches have been proposed in order to alleviate the scalability concerns of the Tor network, but they are only able to provide heuristic security; in fact, the security community has been quite successful at breaking the state of the art systems using both passive and active attacks. In this paper, we explore new primitives for scalable anonymous communication, with a focus on providing provable security guarantees. First, we propose a new approach for secure peer-to-peer anonymous communication based on a reciprocal neighbor policy. Secondly, we propose PIR-Tor, a client-server scalable architecture for anonymous communications based on Private Information Retrieval.

Retroactive Detection of Malware with Applications to Mobile Platforms
Back to Program
We introduce a practical software-based attestation approach. Our new method enables detection of any active malware (e.g., malware that executes or is activated by interrupts)—even if the infection occurred before our security measure was loaded. It works independently of computing platform, and is eminently suited to address the threat of mobile malware, for which the current Anti-Virus paradigm is poorly suited. Our approach is based on memory-printing of client devices. Memory-printing is a novel and light-weight cryptographic construction whose core property is that it takes notably longer to compute a function if given less RAM than for which it was configured. This makes it impossible for a malware agent to remain active (e.g., in RAM) without being detected, when the function is configured to use all space that should be free after all active applications are swapped out. Our approach is based on inherent timing differences for random access of RAM, flash, and other storage; and the time to communicate with external devices. We do not rely on heuristics when arguing our scheme's security. Accordingly, our approach represents a step towards greater rigor and security assurance.

Scalable Web Object Inspection and Malfease Collection
Back to Program
Internet drive-by downloads attacks are the preferred vehicle to infect desktop computers. In this paper, we propose a new URL analysis framework that combines lightweight virtualization and novel modifications to the WINE engine to detect heap spray attacks against applications. In addition, we are able to extract the attack shellcode used to further download other malicious binaries to the victim machine. Our preliminary results indicate that our system offers a compelling alternative to other process monitoring and virtualization technologies including QEMU and VMware since it can scale to thousands of instances per machine.