35th Annual Computer Security Applications Conference (ACSAC 2019)

Full Program »

Works in Progress

Thursday, 12 December 2019
17:15 - 18:15

Royal Ballroom

Chair: Kevin Roundy, NortonLifeLock

Untangling Certificate Error Messages
Martin Ukrop and Pavol Žáčik (Masaryk University)


Properly validating X.509 certificates turns out to be pretty complicated, with many applications failing to do it right. Furthermore, the usability of many commonly used tools and libraries is far from ideal. We want to improve the situation and make X.509 validation errors usable for developers. We aim to simplify the ecosystem by consolidating the errors and their documentation. We want to map and compare errors from the most used libraries, improve the explanation of what the validation errors mean and provide ready-to-use sample certificates for testing. The project is already available at x509errors.org.

VIPER: Vendor-Independent Policy Enforcement for Consumer IoT Ecosystems
Vasudevan Nagendra and Arani Bhattacharya (Stony Brook University); Vinod Yegneswaran (SRI International); Amir Rahmati and Samir R Das (Stony Brook University)


The swift adoption of the Internet of things (IoT) has led to a significant explosion in the number of devices that are being rapidly integrated into consumer IoT infrastructures (e.g., “smart homes”, “smart campus”, and “smart cities”). Gartner Inc. predicts that by 2022, a single “smart home” is likely to have over 500 connected devices, while a “smart campus” or “smart city” may have millions of devices attached to its ecosystem. These IoT ecosystems are inherently dynamic, such that devices are recursively triggered and actuated based on dynamic physical and environmental conditions (e.g., time, location, temperature, humidity, fire) or security states (e.g., compromised, under DDoS attack). Apart from their scale and dynamism, existing commodity IoT devices also exhibit an unprecedented degree of heterogeneity in the functional capabilities that they provide and the manner in which these devices are programmed for automation by using various vendor-specific application programming interfaces (APIs) (e.g., IFTTT-based applets [4], Groovy, MUD-based profiles, OpenHAB-based automation. Collectively, these three challenges (i.e., scale, dynamism, and heterogeneity) makes deploying and managing IoT infrastructures a vexing task.

In this work, we introduce VIPER, a "Vendor-Independent Policy Enforcement for Consumer IoT Ecosystems" that enables conflict-free policy specification and enforcement in IoT environments. VIPER converts the topology of the IoT infrastructure into a tree-based abstraction and translates existing policies from heterogeneous vendor-specific programming languages such as Groovy-based SmartThings, OpenHAB, IFTTT-based templates, and MUD-based profiles into a vendor-independent graph-based specification. Using the two, VIPER can automatically detect rouge policies, conflicts, and bugs for coherent automation and conflict-free enforcement.

Quantifying Realistic Threats for Deep Learning Models
Zhenyu Zhong, Zhisheng Hu, and Xiaowei Chen (Baidu USA)


DNN models have suffered from adversarial example attacks which lead to inconsistent prediction results.As opposed to the gradient-based attack, which assumes white-box access to the model by the attacker, we focus on more realistic input perturbations from the real-world and their actual threat severity to the model predictions.

In this work, we propose a set of safety properties introduced by these real-world perturbations. We design a framework that evaluates model robustness and threat severity to the violations against these safety properties. The framework incorporates metrics that make model-to-model comparison possible under various real-world perturbations across different machine learning tasks such as image classification and object detection. We make robustness comparisons among the  13 pre-trained models at ImageNet scale  as well as 3 state-of-the art object detection models. We believe a standardized threat quantification will encourage AI industries to make model robustness equally important as accuracy.

Real-time Privacy Analysis of IoT Apps

Leonardo Babun (Florida International University); Z. Berkay Celik (Purdue University); Patrick McDaniel (Pennsylvania State University); A. Selcuk Uluagac (Florida International University)


IoT apps have access to sensitive data to implement their functionality. However, users lack visibility into how their sensitive data is used (or leaked). To overcome these limitations, we present our ongoing work for a novel dynamic analysis tool to uncover privacy risks in IoT apps. The proposed tool uses app instrumentation and Natural Language Processing to inform the users about sensitive data leaks and privacy concerns from IoT apps in real-time.

Trusting the Faceless and Decentralized? An Exploration of Trust Among Cryptocurrency Users and Non-Users

Artemij Voskobojnikov, Borke Obada-Obieh, Yue Huang, and Konstantin Beznosov (University of British Columbia)


Cryptocurrencies have been gaining an increasing interest over recent years, which resulted in a market worth hundreds of billions of dollars. Naturally, this growth attracted various actors, including, but not limited to, dishonest, or outright fraudulent cryptocurrency start-ups and exchanges. While the risks are well documented, it is unclear how users navigate this landscape of ``faceless and decentralized'' actors and choose whom and how much they can trust. This study investigates how people build and manage trust, when it comes to cryptocurrencies and crypto tokens.

We have conducted an interview study with 11 users and 9 non-users and investigated trust determinants among them. When probing our participants about their perception of trust in the cryptocurrency domain, four groups of antecedents emerged: subjective, technological, social, and institutional. While the subjective antecedents of trust are particular to an individual, others are more general and include factors such as published information by cryptocurrency founders and operators or opinions from coworkers and celebrities.

Whenever information about the contextual properties of an actor is limited, as it is the case with new blockchain start-ups, cryptocurrency users employ publicly available, and often unreliable, information to build and maintain trust. They research blogs, websites, as well as white papers and forums to assess whether a coin is worth purchasing. Obtained mostly from public web pages, information about the history of the development and operating team (and its members), as well as the jurisdiction of the exchange or company behind it, plays an important role. The vast majority of these antecedents of trust, however, are based on unreliable information that can (and has been known to) be falsified by dishonest actors. Therefore, it is vital to provide support for cryptocurrency users to decrease the likelihood and amount of losses.

For non-users, trust management also appears to be of importance. We identified factors that negatively correlate with the trust perception of non-users, thus, possibly resulting in non-involvement. It appears that the lack of guidance, combined with usability issues of interfaces, and the lack of institutional trust based on regulations and perceived normality might lead to mistrust and, therefore, to a non-involvement.

A Novel Fine-grained Access Control System for Multi-user Multi-device Smart Home Systems
Amit Kumar Sikder and Leonardo Babun (Florida International University); Z. Berkay Celik (Purdue University); Abbas Acar and Hidayet Aksu (Florida International University); Patrick McDaniel (Penn State University); Engin Kirda (Northeastern University); A. Selcuk Uluagac (Florida International University)


In smart home systems, multiple users use multiple smart home devices simultaneously. This multi-user ecosystem gives rise to complex, asymmetric, and conflicting demands on multiple devices, which cannot be solved by the traditional single-user smart home access control systems. To address this problem, we present our ongoing work to introduce a multi-user multi-device-aware access control mechanism for smart home systems.

Intercomparison of Hardware & Software Based Intrusion Detection Systems for Controller Area Networks
Katrina Rosemond (Howard University)


With emerging automotive technologies like autonomy and Internet of Things (IoT) device connectivity, the current intra-vehicular network needs to be hardened to prevent attacks against safety-critical features. Therefore it is vital that information sent over the vehicle’s controller area network or CAN bus is secure and reliable. Like most networks, we can use intrusion detection systems (IDS) to help prevent CAN-based attacks. While several researchers have built various IDS, both hardware and software, for detecting attacks within the CAN bus they can be difficult to reproduce due to various challenges including cost and limited intellectual property access to valid CAN bus communication data. The objective of this research is to evaluate the performance of both a hardware-based and software IDS with known CAN attacks.


Powered by OpenConf®
Copyright©2002-2020 Zakon Group LLC