35th Annual Computer Security Applications Conference (ACSAC 2019)

Full Program »

Poster Session with Light Refreshments

Thursday, 12 December 2019
18:30 - 20:00

Royal Ballroom Foyer

Chair: Kevin Roundy, NortonLifeLock

Vulnerability Analysis, Attack Strategies and Countermeasures Design in Network Tomography
Shangqing Zhao, Zhe Qu, and Zhuo Lu (University of South Florida); Cliff Wang (North Carolina State University)


Network tomography is a vital tool to estimate link metrics from end-to-end measurements. However, simply trusting end-to-end measurements leads to measurement integrity vulnerabilities when attackers occur in a network because they can intentionally manipulate link metrics via delaying or dropping packets to affect measurements. In this poster, we introduce our past and current research results to show that the vulnerability in network tomography is real and describe our attack strategy, called scapegoating. We present three basic scapegoating approaches and show the conditions that attacks can be successful. In addition, we show how to detect and locate such attacks in a network. We note that this poster abstract and the poster are excerpted from our recent and on-going papers.

Towards a Hybrid Attribute-based Access Control (ABAC) Engineering Framework
Manar Alohaly (University of North Texas); Hassan Takabi (Georgia State University)


The development of an attribute-based access control (ABAC) system requires a substantial degree of manual effort to derive a set of appropriate machine-readable policies. To reduce the development costs, two primary approaches have been proposed, namely bottom-up (a.k.a policy mining) and automated top-down policy engineering. Major shortcomings of these approaches, respectively, are generating policies irrelevant to organization needs and overlooking information of existing access control system. In this work, we propose a hybrid ABAC policy engineering approach to combine the benefits and address the shortcomings of bottom-up and top-down policy engineering in a systematic framework. The novelty of our approach is in generating a machine-readable ABAC policy that conforms with the existing access control of the system and is consistent with its authorization requirements as originally expressed in natural language form.

The Catch-22 Attack
Lumin Shi and Devkishen Sisodia (University of Oregon); Mingwei Zhang (CAIDA, UC San Diego); Jun Li (University of Oregon); Alberto Dainotti (CAIDA, UC San Diego); Peter Reiher (UCLA)


In this work, we introduce the Catch-22 attack, a distributed denial-of-service (DDoS) link-flooding attack that exploits real-world limitations of DDoS defense.  An attacker in the Catch-22 attack leverages virtual private server (VPS) providers and residential proxy services as vehicles for assembling a botnet, and employs moving target attack techniques to not only maximize the amount of strain on DDoS defense, but also maximize the amount of collateral damage incurred by attacked networks, thereby wreaking havoc on wide swaths of the Internet.  In fact, according to our preliminary evaluation, the Catch-22 attack can cause significant collateral damage to over thousands of websites from a major VPS provider.  To the best of our knowledge, no existing work has yet to present a solution for such an attack, let alone study it.

Etherolic: A Concolic Execution System for Security Analysis of Smart Contracts
Mohammadreza Ashouri (University of Potsdam)


Considering numerous projects using smart contracts based on the blockchain technology racing to market, there is an ever-growing necessity for secure contracts to protect what could potentially be worth billions. Ethereum smart contracts are small executable programs, used on a peer-to-peer network as part of a consensus protocol. Precisely, a smart contract is a set of low-level instructions being run on the Ethereum Virtual Machine (EVM). This low-level representation of smart contracts is called the Ethereum bytecode, which is public, immutable and once used in the blockchain, cannot be patched anymore. In this ongoing work, we present {\framework}, as the first runtime analysis framework based on concolic execution that analyzes the smart contracts' bytecode for detecting various vulnerabilities and attacks.

In contrast to previous works, {\framework} does need any source code, it analyzes inter-contract control flows, inter-transactional, and combines symbolic execution of bytecode with a presentation of concrete values from the public Ethereum blockchain. Our experimental evaluation of {\totalprojects} programs, containing public libraries, demonstrates the effectiveness and usefulness of {\framework} in the real-life applications. Moreover, intending to develop our analysis accuracy, we implemented and introduced ""NoSmartBench"" as the first comprehensive artificial vulnerable benchmark suite that comprises various types of security issues in smart contracts. This benchmark can also be helpful for other studies in the future.

Automatic Malware Detection on an Alexa-Pi IoT Device
Mahshid Noorani (University of Maryland College Park/Drexel University); Dr. Spiros Mancoridis (Department of Computer Science, Drexel University, Philadelphia, PA); Dr. Steven Weber (Department of Electrical and Computer Engineering, Drexel University, Philadelphia, PA)


This work explores some of the security concerns pertaining to running software similar to Amazon Alexa home assistant on IoT-like platforms. We implement a behavioral-based malware detector and compare the effectiveness of different system attributes that are used in detecting malware, i.e., system calls, network traffic, and the integration of system call and network traffic features. Given the small number of malware samples for IoT devices, we create a parameterizable malware sample that mimics Alexa behavior to varying degrees, while exfiltrating data from the device to a remote host. The performance of our anomaly detector is evaluated based on how well it determines the presence of our parameterized malware on an Alexa-enabled IoT device.

A Hybrid-interface Recovery Method for Android Kernel Fuzzing
Shuaibing Lu, Yuanping Nie, Xiaohui Kuang, and Zhechao Lin (National Key Laboratory of Science and Technology on Information System Security)


Android kernel fuzzing is a research area of interest specifically for kernel vulnerabilities which may allow attackers to obtain the root privilege. The number of Android devices is increasing rapidly with the explosive growth of Android kernel drivers. Interface aware fuzzing is an effective technique to test the security of kernel driver. Existing researches rely on static analysis with kernel source code. However, in fact, there exist millions of Android devices without public accessible source code.

In this paper, we propose a hybrid interface recovery method for fuzzing kernels, which can recover kernel driver interface no matter the source code is available or not. In white box condition, we employ a dynamic interface recover method that can automatically and completely identify the interface knowledge. In black box condition, we use reverse engineering to extract the key interface information and use similarity computation to infer argument types. We evaluate our hybrid algorithm on real-world devices. The experimental results show that our method can effectively recover interface argument lists and find Android kernel bugs. Totally 28 vulnerabilities are reported in white and black box conditions.

Quantifying Realistic Threats for Deep Learning Models


Zhenyu Zhong, Zhisheng Hu, and Xiaowei Chen (Baidu USA)


DNN models have suffered from adversarial example attacks which lead to inconsistent prediction results.As opposed to the gradient-based attack, which assumes white-box access to the model by the attacker, we focus on more realistic input perturbations from the real-world and their actual threat severity to the model predictions.

In this work, we propose a set of safety properties introduced by these real-world perturbations. We design a framework that evaluates model robustness and threat severity to the violations against these safety properties. The framework incorporates metrics that make model-to-model comparison possible under various real-world perturbations across different machine learning tasks such as image classification and object detection. We make robustness comparisons among the 13 pre-trained models at ImageNet scale as well as 3 state-of-the art object detection models. We believe a standardized threat quantification will encourage AI industries to make model robustness equally important as accuracy.

On the Behavior of Smart Devices
Peter Borrell, Laura Clayton, James Curry, and Daniel Massey (University of Colorado at Boulder)


A number of security incidents have involved compromised IoT devices including Mirai [1]; WannaCry [2]; etc. The problem of malware on smart devices is only expected to increase as the number of IoT devices grow [3]. This work explores how to fortify IoT devices, leveraging the fact these are not general-purpose computers, but instead are specialty instruments that just happen to be input/output devices attached to computers on a network.

More generally, this work focuses on “infrastructure devices”. Here, we define an infrastructure device as an end point that connects to the network and does only one prescribed task. More precisely, these are a class of device that perform the same type of operation at different scales. Examples include smart thermostats, video cameras, and network connected medical devices. These devices are substantially different in behavior from general purpose devices such as laptops, tablets, phones, etc.

Our work attempts to identify devices that exhibit patterns of behavior that flag them as infrastructure devices and analyze their traffic to determine how secure they are on the network.

Cybersecurity Curriculum Framework
Jennifer Peyrot (University of Colorado, Boulder); Mark Emry (McNeil High School); Jenny Daugherty and Melissa Dark (Dark Enterprises); Daniel Massey (University of Colorado, Boulder)


As more high school teachers integrate cybersecurity into their classrooms, the need for a coherent curriculum framework becomes more pressing. A curriculum framework sets the parameters, directions and standards for curriculum policy and practice. The Cybersecurity Curriculum Framework was designed by educators from high school and higher education, who collectively have vast experience teaching computer science and cybersecurity. The framework has four levels: big ideas, enduring understandings, learning objectives, essential knowledge statements. Educators have been accessing the CCF and we are currently measuring the usefulness of it for teachers as they create cybersecurity courses and units.

Impacts of Post Quantum Cryptography on Blockchain
Elsa Velazquez and Dan Massey (CU Boulder)


This work demonstrates how post quantum cryptography impacts Blockchain. Specifically, we show that post quantum cryptography allows one to break the current Bitcoin Blockchain. This is significant as the Bitcoin Blockchain has, to date, not been compromised. Given this result, we explore how to incorporate quantum safe cryptography into Blockchain and ultimately produce a roadmap for developing a quantum safe Blockchain.

Practical and Robust Privacy Amplification with Multi-Party Differential Privacy
Tianhao Wang (Purdue University); Min Xu (University of Chicago); Bolin Ding and Jingren Zhou (Alibaba); Ninghui Li and Somesh Jha (University of Wisconsin)


When collecting information, local differential privacy (LDP) alleviates privacy concerns of users, as users' private information is randomized before being sent to the central aggregator. However, LDP results in loss of utility due to the amount of noise that is added. To address this issue, recent work introduced an intermediate server and with the assumption that this intermediate server did not collude with the aggregator. Using this trust model, one can add less noise to achieve the same privacy guarantee; thus improving the utility.

In this paper, we investigate this multiple-party setting of LDP. We first analyze the threat model and identify potential adversaries. We then make observations about existing approaches and propose new techniques that achieve a better privacy-utility tradeoff than existing ones. Finally, we perform experiments to compare different methods and demonstrate the benefits of using our proposed method.

Real-time Privacy Analysis of IoT Apps
Leonardo Babun (Florida International University); Z. Berkay Celik (Purdue University); Patrick McDaniel (Pennsylvania State University); A. Selcuk Uluagac (Florida International University)

IoT apps have access to sensitive data to implement their functionality. However, users lack visibility into how their sensitive data is used (or leaked). To overcome these limitations, in this poster, we present our ongoing work for a novel dynamic analysis tool to uncover privacy risks in IoT apps. The proposed tool uses app instrumentation and Natural Language Processing to inform the users about sensitive data leaks and privacy concerns from IoT apps in real-time.

Towards Memory Safe Python Enclave for Security Sensitive Computation
Huibo Wang (Baidu X-Lab/The University of Texas at Dallas); Mingshen Sun, Qian Feng, Pei Wang, Tongxin Li, and Yu Ding (Baidu X-Lab)


Intel SGX Guard eXtensions (SGX), a hardware supported trusted execution environment (TEE) is designed to protect security sensitive applications. However, since enclave applications are developed with memory unsafe languages such as C/C++, the traditional memory corruption is not eliminated in SGX. Rust-SGX is the first toolkit providing enclave developers with a memory safe language. However, Rust is considered a systems language and has become a good choice for concurrent applications and web browsers. Many application domains such as Big Data, Machine Learning, Robotics, Computer Vision are more commonly developed in Python programming language. Therefore, Python application developers cannot benefit from secure enclaves like Intel SGX and Rust-SGX.

To fill this gap, we propose Python-SGX, which is a memory safe SGX SDK providing enclave developers a memory safe Python development environment. The key idea is to enable a memory safe Python language in SGX by solving the following key challenges: (1) defining a memory safe Python interpreter (2) replacing unsafe elements of Python interpreter with safe ones, (3) achieving comparable performance to non-enclave Python applications, and (4) not introducing any unsafe new code or libraries into SGX. We propose to build Python-SGX with PyPy, a Python interpreter written by RPython which is a subset of Python, and tame unsafe parts in PyPy by formal verification, security hardening, and memory safe language.

Recovering Access to Account Using Location Data
Hidehito Gomi and Shuji Yamaguchi (Yahoo Japan Corporation)


Account recovery has been known as a backup mechanism to reclaim a user's lost account. However, typical knowledge-based methods are known as vulnerable to account abuse. To improve security while keeping usability, we propose an account recovery system verifying the similarity of two types of location datasets that have been collected via different devices of users without any explicit registration process. With the proposed method, we conducted an experimental study to evaluate performance measures such as false acceptance and false rejection using the location data of 285 users and obtained a 0.075 equal error rate.

A Novel Fine-grained Access Control System for Multi-user Multi-device Smart Home Systems
Amit Kumar Sikder and Leonardo Babun (Florida International University); Z. Berkay Celik (Purdue University); Hidayet Aksu (Florida International University); Patrick Mcdaniel (Penn State University); Engin Kirda (Northeastern University); A. Selcuk Uluagac (Florida International University)

In smart home systems, multiple users use multiple smart home devices simultaneously. This multi-user ecosystem gives rise to complex, asymmetric, and conflicting demands on multiple devices, which cannot be solved by the traditional single-user smart home access control systems. To address this problem, in this poster, we present our ongoing work to introduce a multi-user multi-device-aware access control mechanism for smart home systems.

I Know Your Activities Even When Data Is Encrypted: Smart Traffic Analysis via Fusion Deep Neural Network
Tao Hou (University of South Florida); Tao Wang (New Mexico State University); Zhuo Lu and Yao Liu (University of South Florida)


Network transmissions are vulnerable to Man-In-The-Middle (MITM) attacks. Through decoding intercepted data, attackers may infer victims’ sensitive activities or even steal their private information (e.g., password). Though transmitted data can be encrypted against eavesdropping, attackers can still infer user activities via traffic analysis. Nevertheless, previous inference methods usually have the limitation that they can only achieve a relatively high accuracy in a specific domain (e.g., app usages, spoken phrases, motion and behaviors). In this research, we propose a smart traffic analysis strategy to overcome this limitation. By developing a fusion deep neural network, our design can infer a user’s activities of multiple domains with a higher accuracy. We also implement a prototype tool on top of this design to conduct experiments. The preliminary evaluation results show our strategy works effectively in activity inference on encrypted data, with an accuracy rate as high as 99.17%.

Classifying and Mitigating Side-Channel Vulnerabilities between VMs
Jinpeng Miao, Dwight Browne, Abdulrahman Alaraj, Tamara Lehman, and Daniel Massey (University of Colorado at Boulder)


Side-channel attacks seriously threaten system security. With the popularity of large-scale cloud services and virtualization technology, remote side-channel attacks are more concealed and more powerful. Thus, corresponding countermeasures and solutions are needed. However, these attacks often exploit different properties and hence require distinct defenses, which is the tricky problem and also the motivation of our work. In this work, we try to classify side-channel attacks and discuss the defenses. We also attempt to propose methods to mitigate side-channel vulnerabilities between virtual machines (VMs) from hypervisor or hardware level without significant performance degradation and energy consumption.

IXmon: Detecting DDoS Attacks at IXPs
Karthika Subramani (University of Georgia); Roberto Perdisci (University of Georgia and Georgia Tech); Maria Konte (Georgia Tech)


Large-scale distributed denial of service (DDoS) attacks pose an imminent threat to the availability of critical Internet-based operations, and have become part of sophisticated cyber-warfare arsenals. In this research, we investigate innovative, machine learning-based detection and mitigation solutions against bandwidth exhaustion DDoS attacks that can be deployed at the core of the Internet, within Internet exchange points (IXPs). Specifically, we propose IXmon, a system for detecting distributed reflective DoS (DRDoS) attacks, which rely on spoofed IP traffic to amplify the attacker's bandwidth. IXmon monitors NetFlow traffic collected from a large real-world Internet peering hub, and is able to detect DRDoS attacks and other anomalies. In addition to detecting the presence of a DRDoS attack crossing the IXP infrastructure, IXmon is also able to identify the ASes that are the source of the attack, along with the specific transport protocol and port used to perform the reflection attack. Using this information, the IXP operators may be able to implement a more surgical traffic blackholing approach, thus mitigating the attack with less collateral damage than existing blackholing approaches.


Powered by OpenConf®
Copyright©2002-2020 Zakon Group LLC