The following technical papers have been accepted for this year's program.
SESSION: Machine Learning Security 1
Model extraction attacks aim to duplicate a machine learning model through query access to a target model. Early studies mainly focus on discriminative models. Despite the success, model extraction attacks against generative models are less well explored. In this paper, we systematically study the feasibility of model extraction attacks against generative adversarial networks (GANs). Specifically, we first define fidelity and accuracy on model extraction attacks against GANs. Then we study model extraction attacks against GANs from the perspective of fidelity extraction and accuracy extraction, according to the adversary’s goals and background knowledge. We further conduct a case study where the adversary can transfer knowledge of the extracted model which steals a state-of-the-art GAN trained with more than 3 million images to new domains to broaden the scope of applications of model extraction attacks. Finally, we propose effective defense techniques to safeguard GANs, considering a trade-off between the utility and security of GAN models.
Face verification system (FVS), which can automatically verify a person’s identity, has been increasingly deployed in the real-world settings. Key to its success is the inclusion of face embedding, a technique that can detect similar photos of the same person by deep neural networks.
We found the score displayed together with the verification result can be utilized by an adversary to “fabricate” a face to pass FVS. Specifically, embeddings can be reversed at high accuracy with the scores. The adversary can further learn the appearance of the victim using a new machine-learning technique developed by us, which we call embedding-reverse GAN. The attack is quite effective in embedding and image recovery. With 2 queries to a FVS, the adversary can bypass the FVS at 40% success rate. When the query number raises to 20, FVS can be bypassed almost every time. The reconstructed face image is also similar to victim’s.
Two Souls in an Adversarial Image: Towards Universal Adversarial Example Detection using Multi-view Inconsistency
In the evasion attacks against deep neural networks (DNN), the attacker generates adversarial instances that are visually indistinguishable from benign samples and sends them to the target DNN to trigger misclassifications. In this paper, we propose a novel multi-view adversarial image detector, namely Argos, based on a novel observation. That is, there exist two “souls” in an adversarial instance, i.e., the visually unchanged content, which corresponds to the true label, and the added invisible perturbation, which corresponds to the misclassified label. Such inconsistencies could be further amplified through an autoregressive generative approach that generates images with seed pixels selected from the original image, a selected label, and pixel distributions learned from the training data. The generated images (i.e., the “views”) will deviate significantly from the original one if the label is adversarial, demonstrating inconsistencies that Argos expects to detect. To this end, Argos first amplifies the discrepancies between the visual content of an image and its misclassified label induced by the attack using a set of regeneration mechanisms and then identifies an image as adversarial if the reproduced views deviate to a preset degree. Our experimental results show that Argos significantly outperforms two representative adversarial detectors in both detection accuracy and robustness against six well-known adversarial attacks. Code is available at: https://github.com/sohaib730/Argos-Adversarial_Detection
Federated learning (FL) has demonstrated tremendous success in various mission-critical large-scale scenarios. However, such promising distributed learning paradigm is still vulnerable to privacy inference and byzantine attacks. The former aims to infer the privacy of target participants involved in training, while the latter focuses on destroying the integrity of the constructed model. To mitigate the above two issues, a few works recently explored unified solutions by utilizing generic secure computation techniques and common byzantine-robust aggregation rules, but there are two major limitations: 1) they suffer from impracticality due to efficiency bottlenecks, and 2) they are still vulnerable to various types of attacks because of model incomprehensiveness.
To approach the above problems, in this paper, we present SecureFL, an efficient, private and byzantine-robust FL framework. SecureFL follows the state-of-the-art byzantine-robust FL method (FLTrust NDSS’21), which performs comprehensive byzantine defense by normalizing the updates’ magnitude and measuring directional similarity, adapting it to the privacy-preserving context. More importantly, we carefully customize a series of cryptographic components. First, we design a crypto-friendly validity checking protocol that functionally replaces the normalization operation in FLTrust, and further devise tailored cryptographic protocols on top of it. Benefiting from the above optimizations, the communication and computation costs are reduced by half without sacrificing the robustness and privacy protection. Second, we develop a novel preprocessing technique for costly matrix multiplication. With this technique, the directional similarity measurement can be evaluated securely with negligible computation overhead and zero communication cost. Extensive evaluations conducted on three real-world datasets and various neural network architectures demonstrate that SecureFL outperforms prior art up to two orders of magnitude in efficiency with state-of-the-art byzantine robustness.
Robustness to adversarial examples of machine learning models remains an open topic of research. Attacks often succeed by repeatedly probing a fixed target model with adversarial examples purposely crafted to fool it. In this paper, we introduce Morphence, an approach that shifts the defense landscape by making a model a moving target against adversarial examples. By regularly moving the decision function of a model, Morphence makes it significantly challenging for repeated or correlated attacks to succeed. Morphence deploys a pool of models generated from a base model in a manner that introduces sufficient randomness when it responds to prediction queries. To ensure repeated or correlated attacks fail, the deployed pool of models automatically expires after a query budget is reached and the model pool is seamlessly replaced by a new model pool generated in advance. We evaluate Morphence on two benchmark image classification datasets (MNIST and CIFAR10) against five reference attacks (2 white-box and 3 black-box). In all cases, Morphence consistently outperforms the thus-far effective defense, adversarial training, even in the face of strong white-box attacks, while preserving accuracy on clean data and reducing attack transferability.
SESSION: Applied Cryptography
Two entities, who only share a password and communicate over an insecure channel, authenticate each other and agree on a large session key for protecting their subsequent communication. This is called the password-authenticated key exchange (PAKE) protocol. PAKE protocol has been considered a suitable substitute for the prevailing hash-based authentication which is vulnerable to various attacks. However, vendors are discouraged by both its prohibitively computational overheads as well as integrating costs, leading to its limited use since being proposed.
After carefully analyzing the general workflow of PAKE protocols, we present Heterogeneous-PAKE, an entire PAKE stack with high-performance and compatibility for both client-side and server-side for Web systems. Using SRP and SPAKE2+ as case studies, we conduct a series of comprehensive experiments, especially comparing with the conventional hash-based solutions to evaluate the Heterogeneous-PAKE. The implementation harvests high throughput on the server-side with over 240k, 70k, 30k, and 1,650k operations per second for SRP-1024, SRP-1536, SRP-2048, and SPAKE2+ respectively. Meanwhile, on most testing platforms, the latency is well controlled within user-acceptable bounds, especially the SPAKE2+ whose delay is less than 3x that of a traditional authentication approach based on Bcrypt. The empirical results demonstrate that the Heterogeneous-PAKE is a very economical (with only a GPU-ready server) and convenient (with an easy-to-integrate software stack without user participation or database rebuilding) solution for upgrading existing systems with high-performance PAKE services.
Many security protocols used for daily Internet traffic have been used for decades and standardization bodies like the IETF often provide extensions for legacy protocols to deal with new requirements. Even though the security aspects for extensions are carefully discussed, automated reasoning has proven to be a valuable tool to uncover security holes that would otherwise have gone unnoticed. Therefore, Automated Theorem Proving (ATP) is already a customary procedure for the development of some new protocols, e.g., TLS 1.3 and MLS.
IKEv2, the key exchange for the IPsec protocol suite, is expected to undergo significant changes to facilitate the integration of Post-Quantum Cryptography. We present the first formal security model for the IKEv2-handshake in a quantum setting together with an automated proof using the Tamarin Prover. Our model focuses on the core state machine, is therefore easily extendable, and aims to promote the use of ATP in IPsec-standardization. The security model captures gaps in the protocol, but treats the specific implementation (like fragmentation mechanisms, for example) as a black box. With IKE_INTERMEDIATE we showcase this approach on a recently proposed extension that significantly changes the protocol’s state machine.
In this paper, we propose a new optimization for the Paillier’s additively homomorphic encryption scheme (Eurocrypt’99). At the heart of our optimization is a well-chosen subgroup of the underlying , which is used as the randomness space for masking messages during encryption. The size of the subgroup is significantly smaller than that of , leading to faster encryption and decryption algorithms of our optimization. We establish the one-wayness and semantic security of our optimized Paillier scheme upon those of an optimization (i.e., “Scheme 3”) made by Paillier in Eurocrypt’99. Thus, our optimized scheme is one-way under the partial discrete logarithm (PDL) assumption, and is semantically secure under the decisional PDL (DPDL) assumption. On the other hand, we present a detailed analysis on the concrete security of our optimized scheme under several known methods. To provide 112-bit security, our analysis suggests that a 2048-bit modulus N and a well-chosen subgroup of size 448-bit would suffice. We compare our optimization with existing optimized Paillier schemes, including the Jurik’s optimization proposed by Jurik in his Ph.D. thesis and the Paillier’s optimization in Eurocrypt’99. Our experiments show that, – the encryption of our optimization is about 2.7 times faster than that of the Jurik’s optimization and is about 7.5 times faster than that of the Paillier’s optimization;
– the decryption of our optimization is about 4.1 times faster than that of the Jurik’s optimization and has a similar performance with that of the Paillier’s optimization.
A digital signature is an essential cryptographic tool to offer authentication with public verifiability, non-repudiation, and scalability. However, digital signatures often rely on expensive operations that can be highly costly for low-end devices, typically seen in the Internet of Things and Systems (IoTs). These efficiency concerns especially deepen when post-quantum secure digital signatures are considered. Hence, it is of vital importance to devise post-quantum secure digital signatures that are designed with the needs of such constraint IoT systems in mind.
In this work, we propose a novel lightweight post-quantum digital signature that respects the processing, memory, and bandwidth limitations of resource-limited IoTs. Our new scheme, called , efficiently transforms a one-time signature to a (polynomially-bounded) many-time signature via a distributed public key computation method. This new approach enables a resource-limited signer to compute signatures without any costly lattice operations (e.g., rejection samplings, matrix multiplications, etc.), and only with a low-memory footprint and compact signature sizes. We also developed a variant for with forward-security, which is an extremely costly property to attain via the state-of-the-art post-quantum signatures.
Due to standardization, AES is today’s most widely used block cipher. Its security is well-studied and hardware acceleration is available on a variety of platforms. Following the success of the Intel AES New Instructions (AES-NI), support for Vectorized AES (VAES) has been added in 2018 and already shown to be useful to accelerate many implementations of AES-based algorithms where the order of AES evaluations is fixed a priori.
In our work, we focus on using VAES to accelerate the computation in secure multi-party computation protocols and applications. For some MPC building blocks, such as OT extension, the AES operations are independent and known a priori and hence can be easily parallelized, similar to the original paper on VAES by Drucker et al. (ITNG’19). We evaluate the performance impact of using VAES in the AES-CTR implementations used in Microsoft CrypTFlow2, and the EMP-OT library which we accelerate by up to 24%.
The more complex case that we study for the first time in our paper are dependent AES calls that are not fixed yet in advance and hence cannot be parallelized manually. This is the case for garbling schemes. To get optimal efficiency from the hardware, enough independent calls need to be combined for each batch of AES executions. We identify such batches using a deferred execution technique paired with early execution to reduce non-locality issues and more static techniques using circuit depth and explicit gate independence. We present a performance and a modularity-focused technique to compute the AES operations efficiently while also immediately using the results and preparing the inputs. Using these techniques, we achieve a performance improvement via VAES of up to 244% for the ABY framework and of up to 28% for the EMP-AGMPC framework. By implementing several garbling schemes from the literature using VAES acceleration, we obtain a 171% better performance for ABY.
SESSION: Software Security 1
The Itanium ABI is the most popular C++ ABI that defines data structures essential to implement underlying object-oriented concepts in C++. Specifically, name mangling rules, object and VTable layouts, alignment, etc. are all mandated by the ABI. Adherence to the ABI comes with undesirable side effects. While it allows interoperability, past research efforts have shown that it provides robust inference points that an attacker can leverage to reveal sensitive design information through binary reverse engineering. In this work, we aim to reduce the ability of an attacker to successfully reverse engineer a binary. We do this via removal of what we call ABI Bias, i.e., the reverse engineering bias that manifests due to a compiler’s adherence to the ABI.
Specifically, we identify two types of ABI biases that are central to past reverse engineering works on C++ binaries: VTable ordering bias and Function Pointer bias. We present compiler-based techniques that can correctly and efficiently debias a given binary from the aforementioned biases. We evaluate our proof-of-concept implementation on a corpus of real world programs for binary size, correctness and performance. We report an average increase of 1.42% in binary size compared to the baseline, very low performance overhead and lastly, correct execution of evaluation programs in comparison to the baseline. Finally, we demonstrate efficacy of our approach by hindering DeClassifier, a state-of-the-art C++ reverse engineering framework.
A function recognition problem serves as a basis for further binary analysis and many applications. Although common challenges for function detection are well known, prior works have repeatedly claimed a noticeable result with a high precision and recall. In this paper, we aim to fill the void of what has been overlooked or misinterpreted by closely looking into the previous datasets, metrics, and evaluations with varying case studies. Our major findings are that i) a common corpus like GNU utilities is insufficient to represent the effectiveness of function identification, ii) it is difficult to claim, at least in the current form, that an ML-oriented approach is scientifically superior to deterministic ones like IDA or Ghidra, iii) the current metrics may not be reasonable enough to measure varying function detection cases, and iv) the capability of recognizing functions depends on each tool’s strategic or peculiar choice. We perform re-evaluation of existing approaches on our own dataset, demonstrating that not a single state-of-the-art tool dominates all the others. In conclusion, a function detection problem has not yet been fully addressed, and we need a better methodology and metric to make advances in the field of function identification.
The ease of reproducibility of digital artifacts raises a growing concern in copyright infringement; in particular, for a software product. Software watermarking is one of the promising techniques to verify the owner of licensed software by embedding a digital fingerprint. Developing an ideal software watermark scheme is challenging because i) unlike digital media watermarking, software watermarking must preserve the original code semantics after inserting software watermark, and ii) it requires well-balanced properties of credibility, resiliency, capacity, imperceptibility, and efficiency. We present SoftMark, a software watermarking system that leverages a function relocation where the order of functions implicitly encodes a hidden identifier. By design, SoftMark does not introduce additional structures (i.e., codes, blocks, or subroutines), being robust in unauthorized detection, while maintaining a negligible performance overhead and reasonable capacity. With various strategies against viable attacks (i.e., static binary re-instrumentation), we tackle the limitations of previous reordering-based approaches. Our empirical results demonstrate the practicality and effectiveness by successful embedding and extraction of various watermark values.
Software protection in practice addresses the yearly loss of tens of billion USD for software manufacturers, a result of malicious end-users tampering with the software (”software cracking”). Software protection is prevalent in the gaming and license checking industries, and also relevant in the embedded and other industries. State of the art research in the area of software tamper protection against man-at-the-end (MATE) attackers focuses on the localization of integrity checks. The goal of this paper is a general assessment of the resilience of software self-checking, protected themselves by obfuscations against (1) (automated) detection and (2) (automated) bypass, without deobfuscating the code. Using dynamic taint analysis on a benchmark set of programs, we study how easy it is to detect and bypass combinations of self-checking and various obfuscation transformations. We aim at generalizing these findings across different programs rather than focusing on one particular program instance. To this end, we perform a set of controlled experiments using a data set of real-world programs, the MiBench suite and open-source games, and show that all of these can be broken by dynamic taint analysis attacks. To counter such attacks, we propose and implement improvements to an existing obfuscation implementation. We evaluate the implemented improvement and discuss the security-performance trade-offs.
Online Q&A fora such as Stack Overflow assist developers to solve their faced coding problems. Despite the advantages, Stack Overflow has the potential to provide insecure code snippets that, if reused, can compromise the security of the entire software.
We present Dicos, an accurate approach by examining the change history of Stack Overflow posts for discovering insecure code snippets. When a security issue was detected in a post, the insecure code is fixed to be safe through user discussions, leaving a change history. Inspired by this process, Dicos first extracts the change history from the Stack Overflow post, and then analyzes the history whether it contains security patches, by utilizing pre-selected features that can effectively identify security patches. Finally, when such changes are detected, Dicos determines that the code snippet before applying the security patch is insecure.
To evaluate Dicos, we collected 1,958,283 Stack Overflow posts tagged with C, C++, and Android. When we applied Dicos on the collected posts, Dicos discovered 12,458 insecure posts (i.e., 14,719 insecure code snippets) from the collected posts with 91% precision and 93% recall. We further confirmed that the latest versions of 151 out of 2,000 popular C/C++ open-source software contain at least one insecure code snippet taken from Stack Overflow, being discovered by Dicos. Our proposed approach, Dicos, can contribute to preventing further propagation of insecure codes and thus creating a safe code reuse environment.
SESSION: Privacy and Anonymity
To enable enhanced accountability of Unmanned Aerial Vehicles (UAVs) operations, the US-based Federal Avionics Administration (FAA) recently published a new dedicated regulation, namely RemoteID, requiring UAV operators to broadcast messages reporting their identity and location. The enforcement of such a rule, mandatory by 2022, generated significant concerns on UAV operators, primarily because of privacy issues derived by the indiscriminate broadcast of the plain-text identity of the UAV on the wireless channel.
In this paper, we propose ARID, a solution enabling RemoteID-compliant Anonymous Remote Identification of UAVs. The adoption of ARID allows UAVs to broadcast RemoteID-compliant messages using ephemeral pseudonyms that only a Trusted Authority, such as the FAA, can link to the long-term identifier of the UAV and its operator. Moreover, ARID also enforces UAV message authenticity, to protect UAVs against impersonation and spoofed reporting, while requiring an overall minimal toll on the battery budget. Furthermore, ARID generates negligible overhead on the Trusted Authority, not requiring the secure maintenance of any private database.
While the security properties of ARID are thoroughly discussed and formally verified with ProVerif, we also implemented a prototype of ARID on a real UAV, i.e., the 3DR-Solo drone, integrating our solution within the popular Poky Operating System, on top of the widespread MAVLink protocol. Our experimental performance evaluation shows that the most demanding configuration of ARID takes only ≈ 11.23 ms to generate a message and requires a mere 4.72 mJ of energy. Finally, we also released the source code of ARID to foster further investigations and development by Academia, Industry, and practitioners.
Cyber-physical systems revolutionize how we interact with physical systems. Smart grid is a prominent example. With new features such as fine-grained billing, user privacy is at a greater risk than before. For instance, a utility company () can infer users’ (fine-grained) usage patterns from their payment. The literature only focuses on hiding individual meter readings in bill calculation. It is unclear how to preserve amount privacy when the needs to assert that each user has settled the amount as calculated in the bill.
We advocate a new paradigm of cash payment settlement enabling payment privacy. Users pay their bills in unit amount so that they can hide in the crowd. Meanwhile, can obtain payments earlier in the pay-as-you-go model, leading to a win-win situation. A highlight of our proposed system, Sipster, is that the receipts for the payments can be combined into a O(1)-size receipt certifying the smart meter’s certification. Without such aggregation, techniques such as zero-knowledge proof would fail since it typically cannot hide the size of the witness. Seemingly helpful tools, e.g., aggregate signatures or fully homomorphic signatures, also fail.
The novelty of Sipster lies in fulfilling our five goals simultaneously: 1) privacy-preserving: the cannot infer a user’s payment amount; 2) prover-efficient: no zero-knowledge proof is ever needed; 3) verifier-efficient: it takes O(1) time to verify a combined receipt; 4) double-claiming-free: users cannot present the same receipt twice; and 5) minimalistic smart meter: it has the capability to report signed readings (needed even in a non-private setting).
Safeguarding privacy in data sharing is challenging, especially when data owners lose control over their data once it is passed to another party. Our work aims to build a data-sharing platform that enables data owners to regain control over their shared data. Specifically, sensitive data is first encapsulated into a data capsule. The platform regulates functional access to the data capsule, i.e., the receiver can compute a predefined function on the data with its input and learns nothing else. The platform also enforces self-expiry of the data capsule. In addition, the data capsule features a notion of “send-and-forget” wherein data owners can go offline after releasing their data capsules. As a result, data capsules can be freely circulated.
Each data capsule is associated with an access policy and a usage transcript. The former specifies which functions are eligible to access the protected data and its expiry conditions, whereas the latter is used to determine if the expiry conditions have been met. To regulate functional access, one efficient solution is to employ a Trusted Execution Environment (TEE) with attested execution. Nonetheless, we observe that the use of TEE alone is not sufficient to accomplish self-expiry, for TEEs are vulnerable to rollback attacks via which an adversary could “unwind” the usage transcript of an expired data capsule or double-consume the protected data. Moreover, a straightforward implementation would need a single master key to be resided in the TEE, leading to single-point-of-failure. Our solution, TEEKAP, addresses the challenges by embracing decentralization, employing a committee of independent and mutually distrusting nodes to uphold the integrity of usage transcripts and the confidentiality of encryption keys. TEEKAP integrates TEE, consensus protocol, and threshold secret sharing in a novel way. Experiments conducted in realistic deployment settings on Microsoft Azure show that TEEKAP can process access requests at scale.
Website fingerprinting attacks on Tor pose an security issue in anonymity privacy, in which attackers can identify websites visited by victims through passively capturing and analyzing encrypted packet traces. Although related works have been studied over a long period, most of them focus on single-tab packet traces which only contain one page tab’s data. However, users often open multiple page tabs successively when browsing the web, and multi-tab packet traces generated will corrupt common single-tab attacks. Existing multi-tab attacks still depend on an elaborate feature engineering, besides, they fail to exploit the overlapping area which contains the mixed data of two adjacent page tabs, thus suffering from the information lost or confusion. In this paper, we propose a Block Attention Profiling Model named BAPM as a new multi-tab attacking model. Specifically, BAPM fully utilizes the whole multi-tab packet trace including the overlapping area to avoid information lost. It generates a tab-aware representation from direction sequences and performs the block division to separate mixed page tabs as clearly as possible, thus relieving the information confusion. Then the attention-based profiling is used to group blocks belonging to the same page tab and finally multiple websites are simultaneously identified under a global view. We compare BAPM with state of the art multi-tab attacks, and BAPM outperforms comparison methods even with larger overlapping area. The effectiveness of model design is also validated through ablation, sensitivity and generalization analysis.
Try before You Buy: Privacy-preserving Data Evaluation on Cloud-based Machine Learning Data Marketplace
A cloud-based data marketplace provides a service to match data shoppers with appropriate data sellers, so that data shoppers can augment their internal data sets with external data to improve their machine learning (ML) models. Since data may contain diverse values, it is critical for a shopper to evaluate the most valuable data before making the final trade. However, evaluating ML data typically requires the cloud to access a shopper’s ML model and sellers’ data, which are both sensitive. None of the existing cloud-based data marketplaces enable ML data evaluation while preserving both model privacy and data privacy. In this paper, we develop a privacy-preserving ML data evaluation framework on a cloud-based data marketplace to protect shoppers’ ML models and sellers’ data. First, we provide a privacy-preserving framework that allows shoppers and sellers to encrypt their models and data, respectively, while preserving data functionality and model functionality in the cloud. We then develop a privacy-preserving data selection protocol that enables the cloud to help shoppers select the most valuable ML data. Also, we develop a privacy-preserving data validation protocol that allows shoppers to further check the quality of the selected data. Compared to random data selection, the experimental results show that our solution can reduce 60% prediction errors.
SESSION: Distributed systems
Both AMD and Intel have presented technologies for confidential computing in cloud environments. The proposed solutions — AMD SEV (-ES, -SNP) and Intel TDX — protect VMs (VMs) against attacks from higher privileged layers through memory encryption and integrity protection. This model of computation draws a new trust boundary between virtual devices and the VM, which in so far lacks thorough examination. In this paper, we therefore present an analysis of the virtual device interface and discuss several attack vectors against a protected VM. Further, we develop and evaluate VIA, an automated analysis tool to detect cases of improper sanitization of input recieved via the virtual device interface. VIA improves upon existing approaches for the automated analysis of device interfaces in the following aspects: (i) support for virtualization relevant buses, (ii) efficient Direct Memory Access (DMA) support and (iii) performance. VIA builds upon the Linux Kernel Library and clang’s libfuzzer to fuzz the communication between the driver and the device via MMIO, PIO, and DMA. An evaluation of VIA shows that it performs 570 executions per second on average and improves performance compared to existing approaches by an average factor of 2706. Using VIA, we analyzed 22 drivers in Linux 5.10.0-rc6, thereby uncovering 50 bugs and initiating multiple patches to the virtual device driver interface of Linux. To prove our findings’ criticality under the threat model of AMD SEV and Intel TDX, we showcase three exemplary attacks based on the bugs found. The attacks enable a malicious hypervisor to corrupt the memory and gain code execution in protected VMs with SEV-ES and are theoretically applicable to SEV-SNP and TDX.
Rocky: Replicating Block Devices for Tamper and Failure Resistant Edge-based Virtualized Desktop Infrastructure
Recently, edge-based virtual desktop infrastructure (EdgeVDI), which brings the power of virtualized desktop infrastructure to cloudlets closer to users, has been considered as an attractive solution for WAN mobility. However, ransomware and wiper malware are becoming more and more prevalent, which can impose serious cybersecurity threats to EdgeVDI users. Existing tamper-resistant solutions cannot deal with cloudlet failures. In this paper, we propose Rocky, the first distributed replicated block device for EdgeVDI that can recover from tampering attacks and failures. The key enabler is replicating to store a consistent write sequence across cloudlets as an append-only immutable mutation history. In addition, Rocky uses a replication broker to allow heterogenous cloudlets to control replication rates at their pace and reduces both disk space and network bandwidth consumption by coalescing writes for both uplink and downlink. To show the feasibility of Rocky, we implemented Rocky in Java. The experimental results show that Rocky’s write and read throughputs are similar to those of a baseline device with 8.4% and 11.9% additional overheads, respectively. In addition, we could reduce repeated writes by 88.5% and 100% for editing presentation slides and a photo, respectively.
Privacy-centric mobile social network (PC-MSN), which allows users to build intimate and private social circles, is an increasingly popular type of online social networks (OSNs). Because of strict usage policy enforced by PC-MSNs (such as restricted account and content access), malicious accounts (or users) have to act like normal accounts to accumulate credentials before committing malicious activities. Therefore, analysis merely relying on static account profile information or social graphs is ineffective to detect such growing-up accounts. Besides, existing behavior-based malicious account detection methods fail to effectively detect growing-up accounts who pretend to be benign and have similar behaviors to benign users during the growing-up stage.
In this paper, we present the first comprehensive study of growing-up behaviors of malicious accounts in WeChat, one of the major PC-MSNs with billions of daily active users across the globe. Our analysis reveals that the behavior patterns of growing-up accounts are very similar to that of benign users, and yet quite different from typical malicious accounts. Based on this observation, we design Muses, a detection system that can automatically identify subtle yet effective behaviors (features) to distinguish growing-up accounts before they engage in obvious malicious campaigns. Muses is unsupervised so that it can adapt to new malicious campaigns even if the behavior patterns of malicious accounts are unknown a priori. In particular, Muses addresses the limitations of the previous supervised techniques, i.e., requiring manually labeled training sets, which is time-consuming and costly. We evaluate Muses on a large-scale anonymized dataset from WeChat with roughly 440k accounts. The experimental results show that Muses achieves 2x recall, with similar precision, compared with the previous methods. Specifically, Muses detects over 82% growing-up accounts with a precision of 90% and achieves an AUC of 0.95. Notably, Muses can also effectively detect growing-up accounts even if malicious users applied various evasion strategies.
Recent IoT applications gradually adapt more complicated end systems with commodity software. Ensuring the runtime integrity of these software is a challenging task for the remote controller or cloud services. Popular enforcement is the runtime remote attestation which requires the end system (prover) to generate evidence for its runtime behavior and a remote trusted verifier to attest the evidence. Control-flow attestation is a kind of runtime attestation that provides diagnoses towards the remote control-flow hijacking at the prover. Most of these attestation approaches focus on small or embedded software. The recent advance to attesting complicated software depends on the source code and CFG traversing to measure the checkpoint-separated subpaths, which may be unavailable for commodity software and cause possible context missing between consecutive subpaths in the measurements.
In this work, we propose a resilient control-flow attestation (ReCFA), which does not need the offline measurement of all legitimate control-flow paths, thus scalable to be used on complicated commodity software. Our main contribution is a multi-phase approach to condensing the runtime control-flow events; as a result, the vast amount of control-flow events are abstracted into a deliverable size. The condensing approach consists of filtering skippable call sites, folding program-structure related control-flow events, and a greedy compression. Our approach is implemented with binary-level static analysis and instrumentation. We employ a shadow stack mechanism at the verifier to enforce context-sensitive control-flow integrity and diagnose the compromised control-flow events violating the security policy. The experimental results on real-world benchmarks show both the efficiency of the control-flow condensing and the effectiveness of security enforcement.
Machine Learning (EdgeML) algorithms on edge devices facilitate safety-critical applications like building security management and smart city interventions. However, their wired/wireless connections with the Internet make such platforms vulnerable to attacks compromising the embedded software. We find that in the prior works, the issue of regular runtime integrity assessment of the deployed software with negligible EdgeML performance degradation is still unresolved. In this paper, we present PracAttest, a practical runtime attestation framework for embedded devices running compute-heavy EdgeML applications. Unlike the conventional remote attestation schemes that check the entire software in each attestation event, PracAttest segments the software and randomizes the integrity check of these segments over short random attestation intervals. The segmentation coupled with the randomization leads to a novel performance-vs-security trade-off that can be tuned per the EdgeML application’s performance requirements. Additionally, we implement three realistic EdgeML benchmarks for pollution measurement, traffic intersection control, and face identification, using state-of-the-art neural network and computer vision algorithms. We specify and verify security properties for these benchmarks and evaluate the efficacy of PracAttest in attesting the verified software. PracAttest provides 50x-80x speedup over the state-of-the-art baseline in terms of mean attestation time, with negligible impact on application performance. We believe that the novel performance-vs-security trade-off facilitated by PracAttest will expedite the adoption of runtime attestation on edge platforms.
SESSION: Usability and Human-Centric Aspects of Security
Is Visualization Enough? Evaluating the Efficacy of MUD-Visualizer in Enabling Ease of Deployment for Manufacturer Usage Description (MUD)
The IETF Manufacturer Usage Description (MUD) standard was designed to protect IoT devices through network micro-segmentation. In practice, this is implemented using per-device access control that is defined by the manufacturer. This access control is embedded in a “MUD-File”, which is transferred to the user’s network during the onboarding process, and may contain from one to hundreds of rules. Validating these rules for each device can be a challenge, particularly when devices are interacting. In response, MUD-Visualizer was designed to simplify the validation of individual and interacting MUD-Files through straightforward visualizations. In this work, we report on an evaluation of the usability and efficacy of MUD-Visualizer. The results illustrate that not only it is more usable compared to manual analysis, but the participants that used MUD-Visualizer also had more accurate results in less time.
A Cross-role and Bi-national Analysis on Security Efforts and Constraints of Software Development Projects
Software security, which is often regarded as a non-functional requirement, tends to be less prioritized than other explicit requirements in development projects. For designing security measures that can be used in software development, we must understand the obstacles that prevent the adoption of secure software development practices. In this study, we quantitatively analyzed security efforts and constraints of software development projects through an online survey of software development professionals in the US and Japan (N=664). We revealed how certain characteristics of a development project, such as the project’s contractual relationships or the software’s target users, influence security efforts and constraints. In addition, by comparing the survey results of two groups (developers and managers), we revealed how the gap in their security efforts and constraints influences software security. We believe the results provide insights toward designing usable measures to assist security-related decision-making in software development and conducting appropriate surveys targeting software development professionals.
Behavioral authentication codes are widely used to resist abnor- mal network traffic. Mouse sliding behavior as an authentication method has the characteristics of less private information and easy data sampling. This paper analyses the attack mode of the machine sliding track data, extracts the physical quantity characteristics of the sliding path. Features importance scores are used to select the candidate features, and further Pearson correlation co- efficient is used to filter out the features with high correlation. This paper use XGBoost model as a classifier. In addition, an efficient evasion attack detection method is proposed to deal with complex human behavior evasion attacks. The experiment was carried out on two mouse sliding datasets. The experimental results show that the proposed method achieves 99.09% accuracy and 99.88% recall rate, and can complete the man-machine identification in 2ms.
The usage of contactless payment has surged in recent years, especially during the Covid19 pandemic. A Passive relay (PR) attack against a contactless card is a well-known threat, which has been extensively studied in the past with many solutions available. However, with the mass deployment of mobile point-of-sale (mPoS) devices, there emerges a new threat, which we call mPoS-based passive (MP) attacks. In an MP attack, the various components required in a PR attack, including an NFC reader, a wireless link, a remote card emulator, and a remote payment terminal, are conveniently combined into one compact device, hence the attack becomes much easier. Since the attacker and the victim are in the same location, the previous distance bounding or ambient sensor-based solutions are no longer effective. In this paper, we propose a new orientation-based payment solution called OPay. OPay builds on the observation that when a user makes a legitimate contactless payment, the card and the terminal surface are naturally aligned, but in an attack scenario, this situation is less likely to occur. This allows us to distinguish the legitimate payments from passive attacks based on measuring the alignment of orientations. We build a concrete prototype using two Arduino boards embedded with NFC and motion sensors to act as a card and a payment terminal respectively. To evaluate the feasibility, we recruited twenty volunteers in a user study. Participants generally find OPay easy to use, fast and reliable. Experiments show that OPay can substantially reduce the attack success rate by 85-99% with little inconvenience to real users. To our best knowledge, OPay is the first solution that can prevent both the PR and MP attacks, while preserving the existing usage model in contactless payment.
What’s in a Cyber Threat Intelligence sharing platform?: A mixed-methods user experience investigation of MISP
The ever-increasing scale and complexity of cyber attacks and cyber-criminal activities necessitate secure and effective sharing of cyber threat intelligence (CTI) among a diverse set of stakeholders and communities. CTI sharing platforms are becoming indispensable tools for cooperative and collaborative cybersecurity. Nevertheless, despite the growing research in this area, the emphasis is often placed on the technical aspects, incentives, or implications associated with CTI sharing, as opposed to investigating challenges encountered by users of such platforms. To date, user experience (UX) aspects remain largely unexplored.
This paper offers a unique contribution towards understanding the constraining and enabling factors of security information sharing within one of the leading platforms. MISP is an open source CTI sharing platform used by more than 6,000 organizations worldwide. As a technically-advanced CTI sharing platform it aims to cater for a diverse set of security information workers with distinct needs and objectives. In this respect, MISP has to pay an equal amount of attention to the UX in order to maximize and optimize the quantity and quality of threat information that is contributed and consumed.
Using mixed methods we shed light on the strengths and weaknesses of MISP from an end-users’ perspective and discuss the role UX could play in effective CTI sharing. We conclude with an outline of future work and open challenges worth further exploring in this nascent, yet highly important socio-technical context.
SESSION: CPS and IoT
In this paper, we describe how the electronic rolling shutter in CMOS image sensors can be exploited using a bright, modulated light source (e.g., an inexpensive, off-the-shelf laser), to inject fine-grained image disruptions. We demonstrate the attack on seven different CMOS cameras, ranging from cheap IoT to semi-professional surveillance cameras, to highlight the wide applicability of the rolling shutter attack. We model the fundamental factors affecting a rolling shutter attack in an uncontrolled setting. We then perform an exhaustive evaluation of the attack’s effect on the task of object detection, investigating the effect of attack parameters. We validate our model against empirical data collected on two separate cameras, showing that by simply using information from the camera’s datasheet the adversary can accurately predict the injected distortion size and optimize their attack accordingly. We find that an adversary can hide up to 75% of objects perceived by state-of-the-art detectors by selecting appropriate attack parameters. We also investigate the stealthiness of the attack in comparison to a naïve camera blinding attack, showing that common image distortion metrics can not detect the attack presence. Therefore, we present a new, accurate and lightweight enhancement to the backbone network of an object detector to recognize rolling shutter attacks. Overall, our results indicate that rolling shutter attacks can substantially reduce the performance and reliability of vision-based intelligent systems.
Evaluating the Effectiveness of Protection Jamming Devices in Mitigating Smart Speaker Eavesdropping Attacks Using Gaussian White Noise
Protection Jamming Devices (PJD) are specialized tools designed to sit on top of virtual assistant (VA) smart speakers and hinder them from “hearing” nearby user speech. PJDs aim to protect you from eavesdropping attacks by injecting a jamming signal directly into the microphones of the smart speaker. However, current signal processing routines can be used to reduce noise and enhance speech contained in noisy audio samples. Therefore, we identify a potential vulnerability for speech eavesdropping via smart speaker recordings, even when a PJD is being used. If an attacker can gain access to or facilitate smart speaker recordings they may be able to compromise a user’s speech with successful noise cancellation. Specifically, we are interested in the potential for Gaussian white noise (GWN) to be an effective jamming signal for a PJD. To our knowledge, the effectiveness of white noise and PJDs to protect against eavesdropping attacks has yet to receive a systematic evaluation that includes physical experiments with an actual PJD implementation.
In this work we construct our own PJD, specialized for consistent experimentation, to simulate an attack scenario where recordings from a smart speaker, in the presence of normal speech and the PJDs jamming signal, are recovered. We perform substantial data collection under different settings to build a repository of 1500 recovered audio samples. We applied post-processing on our dataset and conducted an extensive signal/speech quality analysis including both time and frequency domain inspection, and evaluation of metrics including cross-correlation, SNR, and PESQ. Lastly, we performed feature extraction (MFCC) and built machine learning classifiers for tasks including speech (digit) recognition, speaker identification, and gender recognition. We also attempted song recognition using the Shazam app. For all speech recognition tasks that we attempted, we were able to achieve classification accuracies above that of random guessing (46% for digit recognition, 51% for speaker identification, 80% for gender identification), as well as demonstrate successful song recognition. These results highlight the real potential for attackers to compromise user speech, to some extent, using smart speaker recordings; even if the smart speaker is protected by a PJD.
As automotive security concerns are rising, the Controller Area Network (CAN) — the de facto standard of in-vehicle communication protocol — has come under scrutiny due to its lack of encryption and authentication. Several vulnerabilities, such as eavesdropping, spoofing, and replay attacks, have shown that the current implementation needs to be extended. Both academic and commercial solutions for a Secure CAN (S-CAN) have been proposed, but OEMs have not yet integrated them into their products. The main reasons for this lack of adoption are their heavy use of limited computational resources in the vehicle, increased latency that can lead to missed deadlines for safety-critical messages, as well as insufficient space available in a CAN frame to include a Message Authentication Code (MAC).
By making a trade-off between security and performance, we develop S2-CAN, which overcomes the aforementioned problems of S-CAN. We leverage protocol-specific properties of CAN instead of using cryptographic primitives and design a “sufficiently secure” alternative CAN with minimal overhead on resources and latency. We evaluate the security of S2-CAN in four real-world vehicles by an automated vehicular attack tool. We finally show that CAN security can be guaranteed by the correct choice of a design parameter while achieving acceptable performance.
Recent findings show that smart vehicles can be exposed to relay attacks resulting from weaknesses in cryptographic operations, such as authentication and key derivation, or poor implementation of these operations. Relay attacks refer to attacks in which authentication is evaded without needing to attack a smart vehicle itself. They are a recurrent problem in practice. In this paper, we formulate the necessary relay resilience settings for strengthening authentication and key derivation and achieving the secure design and efficient implementation of cryptographic protocols based on universal composability, which allows the modular design and analysis of cryptographic protocols. We introduce Crypto-Chain, a relay resilience framework that extends Kusters’s universal composition theorem on a fixed number of protocol systems to prevent bypass of cryptographic operations and avoid implementation errors. Our framework provides an ideal crypto-chain functionality that supports several cryptographic primitives. Furthermore, we provide an ideal functionality for mutual authentication and key derivation in Crypto-Chain by which cryptographic protocols can use cryptographic operations, knowledge about the computation time of the operations, and cryptographic timestamps to ensure relay resilience. As a proof of concept, we first propose and implement a mutual authentication and key derivation protocol (MKD) that confirms the efficiency and relay resilience capabilities of Crypto-Chain and then apply Crypto-Chain to fix two protocols used in smart vehicles, namely Megamos Crypto and Hitag-AES/Pro.
An increasing number of powerful devices are equipped with network connectivity and are connected to the Internet of Things (IoT). Influenced by the steady growth of computing power of the devices, the paradigm of IoT-based service deployment is expected to change, following the example of cloud-based infrastructure: An embedded platform can be provided as-a-service to several independent application service suppliers. This fosters additional challenges concerning security and isolation. At the same time, recently revealed critical vulnerabilities like Ripple20 and Amnesia:33 show that embedded devices are not spared from wide-spread attacks.
In this paper, we define new trusted computing concepts, focusing on privilege separation among several entities sharing one physical device. The concepts guarantee remote recovery capabilities within a bounded amount of time, even if notable portions of the software stack have been compromised. We derive a resilient system architecture suitable for the secure operation of multiple isolated services on one embedded device. We integrate an interface for detecting intrusions and anomalies to enable the automatic recovery of compromised devices and prototype our system on a Nitrogen8M development board. Our evaluation shows that the overhead in terms of network throughput and CPU performance is low so that we believe that our concept is a meaningful step towards more resilient future IoT devices.
SESSION: Authentication and Passwords
Global Feature Analysis and Comparative Evaluation of Freestyle In-Air-Handwriting Passcode for User Authentication
Freestyle in-air-handwriting passcode-based user authentication methods address the needs for Virtual Reality (VR) / Augmented Reality (AR) headsets, wearable devices, and game consoles where a physical keyboard cannot be provided for typing a password, but a gesture input interface is readily available. Such an authentication system can capture the hand movement of writing a passcode string in the air and verify the user identity using both the writing content (like a password) and the writing style (like a behavior biometric trait). However, distinguishing handwriting signals from different users is challenging in signal processing, feature extraction, and matching. In this paper, we provide a detailed analysis of the global features of in-air-handwriting signals and a comparative evaluation of such a user authentication framework. Also, we build a prototype system with two different types of hand motion capture devices, collect two datasets, and conduct an extensive evaluation.
We propose a two-factor authentication (2FA) mechanism called 2D-2FA to address security and usability issues in existing methods. 2D-2FA has three distinguishing features: First, after a user enters a username and password on a login terminal, a unique identifier is displayed to her. She inputs the same identifier on her registered 2FA device, which ensures appropriate engagement in the authentication process. Second, a one-time PIN is computed on the device and automatically transferred to the server. Thus, the PIN can have very high entropy, making guessing attacks infeasible. Third, the identifier is also incorporated into the PIN computation, which renders concurrent attacks ineffective. Third-party services such as push-notification providers and 2FA service providers, do not need to be trusted for the security of the system. The choice of identifiers depends on the device form factor and the context. Users could choose to draw patterns, capture QR codes, etc.
We provide a proof of concept implementation, and evaluate performance, accuracy, and usability of the system. We show that the system offers a lower error rate (about half) and better efficiency (2-3 times faster) compared to the commonly used PIN-2FA. Our study indicates a high level of usability with a SUS of 75, and a high perception of efficiency, security, accuracy, and adoptability.
Group Time-based One-time Passwords and its Application to Efficient Privacy-Preserving Proof of Location
Time-based One-Time Password (TOTP) provides a strong second factor for user authentication. In TOTP, a prover authenticates to a verifier by using the current time and a secret key to generate an authentication token (or password) which is valid for a short time period. Our goal is to extend TOTP to the group setting, and to provide both authentication and privacy. To this end, we introduce a new authentication scheme, called Group TOTP (GTOTP), that allows the prover to prove that it is a member of an authenticated group without revealing its identity. We propose a novel construction that transforms any asymmetric TOTP scheme into a GTOTP scheme. Our approach combines Merkle tree and Bloom filter to reduce the verifier’s states to constant sizes.
As a promising application of GTOTP, we show that GTOTP can be used to construct an efficient privacy-preserving Proof of Location (PoL) scheme. We utilize a commitment protocol, a privacy-preserving location proximity scheme, and our GTOTP scheme to build the PoL scheme, in which GTOTP is used not only for user authentication but also as a tool to glue up other building blocks. In the PoL scheme, with the help of some witnesses, a user can prove its location to a verifier, while ensuring the identity and location privacy of both the prover and witnesses. Our PoL scheme outperforms the alternatives based on group digital signatures. We evaluate our schemes on Raspberry Pi hardware, and demonstrate that they achieve practical performance. In particular, the password generation and verification time are in the order of microseconds and milliseconds, respectively, while the computation time of proof generation is less than 1 second.
Users usually create their passwords with meaningful digits, i.e. digit semantics, which can be partially exploited by probabilistic password guessing models with a data-driven methodology for better efficiency. However, these semantics are largely ignored by current practical password cracking tools, like John the Ripper (JtR) and Hashcat.
In this paper, we are motivated to study the digit semantics in passwords and exploit them to improve the guessing efficiency of practical password cracking tools. We first design a practical extraction tool of digit semantics in passwords. Then we conduct a comprehensive empirical analysis of the digit semantics in four large-scale password sets leaked from the real world. Based on the analysis results, we further propose two new operations (the basic unit to construct mangling rules), then generate 1,974 digit semantics rules constructed from them. Moreover, in order to enforce semantics rules in JtR and Hashcat, we optimize their rule engines and running logic with the compatibility of the original built-in operations. The evaluation on the real password sets shows the significant advantage of digit semantics rules to extend current typical rule sets when we crack both Chinese and English (two of the largest user groups) passwords with digit strings.
Despite efforts to replace them, passwords remain the primary form of authentication on the web. Password managers seek to address many of the problems with passwords by helping users generate, store, and fill strong and unique passwords. Even though experts frequently recommend password managers, there is limited information regarding their usability. To aid in designing such usability studies, we systematize password manager use cases, identifying ten essential use cases, three recommended use cases, and four extended use cases. We also systematize the system designs employed to satisfy these use cases, designs that should be examined in usability studies to understand their relative strengths and weaknesses. Finally, we describe observations from 136 cognitive walkthroughs exploring the identified essential use cases in eight popular managers. Ultimately, we expect that this work will serve as the foundation for an explosion of new research into the usability of password managers.
SESSION: Machine Learning Security 2
Online advertisers have been quite successful in circumventing traditional adblockers that rely on manually curated rules to detect ads. As a result, adblockers have started to use machine learning (ML) classifiers for more robust detection and blocking of ads. Among these, AdGraph which leverages rich contextual information to classify ads, is arguably, the state of the art ML-based adblocker. In this paper, we present a4, a tool that intelligently crafts adversarial ads to evade AdGraph. Unlike traditional adversarial examples in the computer vision domain that can perturb any pixels (i.e., unconstrained), adversarial ads generated by a4 are actionable in the sense that they preserve the application semantics of the web page. Through a series of experiments we show that a4 can bypass AdGraph about 81% of the time, which surpasses the state-of-the-art attack by a significant margin of 145.5%, with an overhead of <20% and perturbations that are visually imperceptible in the rendered webpage. We envision that a4’s framework can be used to potentially launch adversarial attacks against other ML-based web applications.
Deep neural networks (DNNs) have progressed rapidly during the past decade and have been deployed in various real-world applications. Meanwhile, DNN models have been shown to be vulnerable to security and privacy attacks. One such attack that has attracted a great deal of attention recently is the backdoor attack. Specifically, the adversary poisons the target model’s training set to mislead any input with an added secret trigger to a target class.
Previous backdoor attacks predominantly focus on computer vision (CV) applications, such as image classification. In this paper, we perform a systematic investigation of backdoor attack on NLP models, and propose BadNL, a general NLP backdoor attack framework including novel attack methods. Specifically, we propose three methods to construct triggers, namely BadChar, BadWord, and BadSentence, including basic and semantic-preserving variants. Our attacks achieve an almost perfect attack success rate with a negligible effect on the original model’s utility. For instance, using the BadChar, our backdoor attack achieves a 98.9% attack success rate with yielding a utility improvement of 1.5% on the SST-5 dataset when only poisoning 3% of the original set. Moreover, we conduct a user study to prove that our triggers can well preserve the semantics from humans perspective.
Recent studies have shown that neural networks are vulnerable to Trojan attacks, where a network is trained to respond to specially crafted trigger patterns in the inputs in specific and potentially malicious ways. This paper proposes MISA, a new online approach to detect Trojan triggers for neural networks at inference time. Our approach is based on a novel notion called misattributions, which captures the anomalous manifestation of a Trojan activation in the feature space. Given an input image and the corresponding output prediction, our algorithm first computes the model’s attribution on different features. It then statistically analyzes these attributions to ascertain the presence of a Trojan trigger. Across a set of benchmarks, we show that our method can effectively detect Trojan triggers for a wide variety of trigger patterns, including several recent ones for which there are no known defenses. Our method achieves 96% AUC for detecting images that include a Trojan trigger without any assumptions on the trigger pattern.
Automatic speech recognition (ASR) systems are vulnerable to audio adversarial examples that attempt to deceive ASR systems by adding perturbations to benign speech signals. Although an adversarial example and the original benign wave are indistinguishable to humans, the former is transcribed as a malicious target sentence by ASR systems. Several methods have been proposed to generate audio adversarial examples and feed them directly into the ASR system (over-line). Furthermore, many researchers have demonstrated the feasibility of robust physical audio adversarial examples (over-air). To defend against the attacks, several studies have been proposed. However, deploying them in a real-world situation is difficult because of accuracy drop or time overhead.
In this paper, we propose a novel method to detect audio adversarial examples by adding noise to the logits before feeding them into the decoder of the ASR. We show that carefully selected noise can significantly impact the transcription results of the audio adversarial examples, whereas it has minimal impact on the transcription results of benign audio waves. Based on this characteristic, we detect audio adversarial examples by comparing the transcription altered by logit noising with its original transcription. The proposed method can be easily applied to ASR systems without any structural changes or additional training. The experimental results show that the proposed method is robust to over-line audio adversarial examples as well as over-air audio adversarial examples compared with state-of-the-art detection methods.
Can We Leverage Predictive Uncertainty to Detect Dataset Shift and Adversarial Examples in Android Malware Detection?
The deep learning approach to detecting malicious software (malware) is promising but has yet to tackle the problem of dataset shift, namely that the joint distribution of examples and their labels associated with the test set is different from that of the training set. This problem causes the degradation of deep learning models without users’ notice. In order to alleviate the problem, one approach is to let a classifier not only predict the label on a given example but also present its uncertainty (or confidence) on the predicted label, whereby a defender can decide whether to use the predicted label or not. While intuitive and clearly important, the capabilities and limitations of this approach have not been well understood. In this paper, we conduct an empirical study to evaluate the quality of predictive uncertainties of malware detectors. Specifically, we re-design and build 24 Android malware detectors (by transforming four off-the-shelf detectors with six calibration methods) and quantify their uncertainties with nine metrics, including three metrics dealing with data imbalance. Our main findings are: (i) predictive uncertainty indeed helps achieve reliable malware detection in the presence of dataset shift, but cannot cope with adversarial evasion attacks; (ii) approximate Bayesian methods are promising to calibrate and generalize malware detectors to deal with dataset shift, but cannot cope with adversarial evasion attacks; (iii) adversarial evasion attacks can render calibration methods useless, and it is an open problem to quantify the uncertainty associated with the predicted labels of adversarial examples (i.e., it is not effective to use predictive uncertainty to detect adversarial examples).
SESSION: Hardware and Architecture
AMD’s Secure Encrypted Virtualization (SEV) is an emerging technology of AMD server processors, which provides transparent memory encryption and key management for virtual machines (VM) without trusting the underlying hypervisor. Like Intel Software Guard Extension (SGX), SEV forms a foundation for confidential computing on untrusted machines; unlike SGX, SEV supports full VM encryption and thus makes porting applications straightforward. To date, many mainstream cloud service providers, including Microsoft Azure and Google Cloud, have already adopted (or are planning to adopt) SEV for confidential cloud services.
In this paper, we provide the first exploration of the security issues of TLB management on SEV processors and demonstrate a novel class of TLB Poisoning attacks against SEV VMs. We first demystify how SEV extends the TLB implementation atop AMD Virtualization (AMD-V) and show that the TLB management is no longer secure under SEV’s threat model, which allows the hypervisor to poison TLB entries between two processes of a SEV VM. We then present TLB Poisoning Attacks, a class of attacks that break the integrity and confidentiality of the SEV VM by poisoning its TLB entries. Two variants of TLB Poisoning Attacks are described in the paper; and two end-to-end attacks are performed successfully on both AMD SEV and SEV-ES.
Regular expression (regex) matching is an integral part of deep packet inspection (DPI) but a major bottleneck due to its low performance. For regex matching (REM) acceleration, FPGA-based studies have emerged and exploited parallelism by matching multiple regex patterns concurrently. However, even though guaranteeing high-performance, existing FPGA-based regex solutions do not still support dynamic updates in run time. Hence, it was inappropriate as a DPI function due to frequently altered malicious signatures. In this work, we introduce Reinhardt, a real-time reconfigurable hardware architecture for REM. Reinhardt represents regex patterns as a combination of reconfigurable cells in hardware and updates regex patterns in real-time while providing high performance. We implement the prototype using NetFPGA-SUME, and our evaluation demonstrates that Reinhardt updates hundreds of patterns within a second and achieves up to 10 Gbps throughput (max. hardware bandwidth). Our case studies show that Reinhardt can operate as NIDS/NIPS and as the REM accelerator for them.
Deep learning with edge computing arises as a popular paradigm for powering edge devices with intelligence. As the size of deep neural networks (DNN) continually increases, model quantization, which converts the full-precision model into lower-bit representation while mostly preserving the accuracy, becomes a prerequisite for deploying a well-trained DNN on resource-limited edge devices. However, to properly quantize a DNN requires an essential amount of expert knowledge, or otherwise the model accuracy would be devastatingly affected. Alternatively, recent years witness the birth of third-party model supply chains which provide pretrained quantized neural networks (QNN) for free downloading.
In this paper, we systematically analyze the potential threats of trojaned models in third-party QNN supply chains. For the first time, we describe and implement a QUAntization-SpecIfic backdoor attack (QUASI), which manipulates the quantization mechanism to inject a backdoor specific to the quantized model. In other words, the attacker-specified inputs, or triggers, would not cause misbehaviors of the trojaned model in full precision until the backdoor function is automatically completed by a normal quantization operation, producing a trojaned QNN which can be triggered with a near 100% success rate. Our proposed QUASI attack reveals several key vulnerabilities in the existing QNN supply chains: (i) QUASI demonstrates a third-party QNN released online can also be injected with backdoors, while, unlike full-precision models, there is almost no working algorithm for checking the fidelity of a QNN. (ii) More threateningly, the backdoor injected by QUASI remains inactivated in the full-precision model, which inhibits model consumers from attributing undergoing trojan attacks to the malicious model provider. As a practical implication, we alarm it can be highly risky to accept and deploy third-party QNN on edge devices at the current stage, if without future mitigation studies.
As the complexity of software applications increases, there has been a growing demand for intra-process memory isolation. The commercially available intra-process memory isolation mechanisms in modern processors, e.g., Intel’s memory protection keys, trade-off between efficiency and security guarantees. Recently, researchers have tended to leverage the features with low security guarantees for intra-process memory isolation. Subsequently, they have relied on binary scanning and runtime binary rewriting to prevent the execution of unsafe instructions, which improves the security guarantees. Such intra-process memory isolation mechanisms are not the only security solutions that have to prevent the execution of unsafe instructions in untrusted parts of the code. In fact, we identify a similar requirement in a variety of other security solutions. Although binary scanning and runtime binary rewriting approaches can be leveraged to address this requirement, it is challenging to efficiently implement these approaches.
In this paper, we propose an efficient and flexible hardware-assisted feature for runtime filtering of user-specified instructions. This flexible feature, called FlexFilt, assists with securing various isolation-based mechanisms. FlexFilt enables the software developer to create up to 16 instruction domains, where each instruction domain can be configured to filter the execution of user-specified instructions. In addition to filtering unprivileged instructions, FlexFilt is capable of filtering privileged instructions. To illustrate the effectiveness of FlexFilt compared to binary scanning approaches, we measure the overhead caused by scanning the JIT compiled code while browsing various webpages. We demonstrate the feasibility of FlexFilt by implementing our design on the RISC-V Rocket core, providing the Linux kernel support for it, and prototyping our full design on an FPGA.
As security grows in importance, system designers turn to hardware support for security. Hardware’s unique properties enable functionality and performance levels not available with software alone. One unique property of hardware is non-determinism. Unlike software, which is inherently deterministic (e.g., the same inputs produce the same outputs), hardware encompasses an abundance of non-determinism; non-determinism born out of manufacturing and operational chaos. While hardware designers focus on hiding the effects of such chaos behind voltage and clock frequency guard bands, security practitioners embrace the chaos as a source of randomness.
We propose a single hardware security primitive composed of basic circuit elements that harnesses both manufacturing and operational chaos to serve as the foundation for both a true random-number generator and a physical unclonable function suitable for deployment in resource-constrained Internet-of-Things (IoT) devices. Our primitive RingRAM leverages the observation that, while existing hardware security primitives have limitations that prevent deployment, they can be merged to form a hardware security primitive that has all of the benefits, but none of the drawbacks. We show how RingRAM’s reliance on simple circuit elements enables universal implementation using discrete components, on an FPGA, and as an ASIC. We then design RingRAM tuning knobs that allow designers to increase entropy, decrease noise, and eliminate off-chip post-processing. We validate RingRAM, showing that it serves as a superior true random-number generator and physical unclonable function—robust against aging and thermal attacks. Finally, to show how RingRAM increases IoT system security, we provide two Linux-based use cases on top of a RISC-V System-on-Chip.
SESSION: Malware and Novel Attacks
Active Cyber Deception (ACD) has emerged as an effective proactive cyber defense technique that can mislead adversaries by presenting falsified data and allow opportunities for engaging with them to learn novel attack techniques. Adversaries often implement their attack techniques within malware and use it as the medium to steal valuable information. Comprehensive malware analysis is required to understand the malware behaviors at technical and tactical levels to create the honey resources and appropriate ploys that can leverage this behavior and mislead malware and APT adversaries. This paper presents SODA, a cyber deception orchestration system that analyzes real-world malware, discovers attack techniques, creates Deception Playbooks, a set of deception actions, and finally orchestrates the environment to deceive malware. SODA extracts Malicious Sub-graphs (MSGs) consisting of WinAPIs from real-world malware and maps them to MITRE ATT&CK techniques. This MSG-to-MITRE mapping describes how ATT&CK techniques are implemented in malware and, as a result, guides the construction of appropriate deception actions. We conducted comprehensive evaluations on SODA with 255 recent malware samples to demonstrate end-to-end deception effectiveness. We observed an average accuracy of 95% in deceiving the malware with negligible overhead for specified deception goals and strategies. Furthermore, our approach successfully extracted MSGs with a 97% recall and our MSG-to-MITRE mapping achieved a top-1 accuracy of 88.75%. More importantly, SODA can serve as a general purpose malware deception factory to automatically produce customized deception playbooks against arbitrary malware.
Artifacts such as log data and network traffic are fundamental for cybersecurity research, e.g., in the area of intrusion detection. Yet, most research is based on artifacts that are not available to others or cannot be adapted to own purposes, thus making it difficult to reproduce and build on existing work. In this paper, we identify the challenges of artifact generation with the goal of conducting sound experiments that are valid, controlled, and reproducible. We argue that testbeds for artifact generation have to be designed specifically with reproducibility and adaptability in mind. To achieve this goal, we present SOCBED, our proof-of-concept implementation and the first testbed with a focus on generating realistic log data for cybersecurity experiments in a reproducible and adaptable manner. SOCBED enables researchers to reproduce testbed instances on commodity computers, adapt them according to own requirements, and verify their correct functionality. We evaluate SOCBED with an exemplary, practical experiment on detecting a multi-step intrusion of an enterprise network and show that the resulting experiment is indeed valid, controlled, and reproducible. Both SOCBED and the log dataset underlying our evaluation are freely available.
The Internet of Things (IoT) is constituted of devices that are exponentially growing in number and in complexity. They use numerous customized firmware and hardware, without taking into consideration security issues, which make them a target for cybercriminals, especially malware authors.
We will present a novel approach of using side channel information to identify the kinds of threats that are targeting the device. Using our approach, a malware analyst is able to obtain precise knowledge about malware type and identity, even in the presence of obfuscation techniques which may prevent static or symbolic binary analysis. We recorded 100,000 measurement traces from an IoT device infected by various in-the-wild malware samples and realistic benign activity. Our method does not require any modification on the target device. Thus, it can be deployed independently from the resources available without any overhead. Moreover, our approach has the advantage that it can hardly be detected and evaded by the malware authors. In our experiments, we were able to predict three generic malware types (and one benign class) with an accuracy of 99.82%. Even more, our results show that we are able to classify altered malware samples with unseen obfuscation techniques during the training phase, and to determine what kind of obfuscations were applied to the binary, which makes our approach particularly useful for malware analysts.
Automatic Speech Recognition (ASR) systems are widely used in various online transcription services and personal digital assistants. Emerging lines of research have demonstrated that ASR systems are vulnerable to hidden voice commands, i.e., audio that can be recognized by ASRs but not by humans. Such attacks, however, often either highly depend on white-box knowledge of a specific machine learning model or require special hardware to construct the adversarial audio. This paper proposes a new model-agnostic and easily-constructed attack, called CommanderGabble, which uses fast speech to camouflage voice commands. Both humans and ASR systems often misinterpret fast speech, and such misinterpretation can be exploited to launch hidden voice command attacks. Specifically, by carefully manipulating the phonetic structure of a target voice command, ASRs can be caused to derive a hidden meaning from the manipulated, high-speed version. We implement the discovered attacks both over-the-wire and over-the-air, and conduct a suite of experiments to demonstrate their efficacy against 7 practical ASR systems. Our experimental results show that the over-the-wire attacks can disguise as many as 96 out of 100 tested voice commands into adversarial ones, and that the over-the-air attacks are consistently successful for all 18 chosen commands in multiple real-world scenarios.
Rapid prototyping makes additive manufacturing (or 3D printing) useful in critical application domains such as aerospace, automotive, and medical. The rapid expansion of these applications should prompt the examination of the underlying security of 3D printed objects. In this paper, we present Mystique, a novel class of stealthy attacks on printed objects that leverage the fourth dimension of emerging 4D printing technology to introduce embedded logic bombs through manufacturing process manipulation. Mystique enables visually benign objects to behave maliciously upon the activation of the logic bomb during operation. It leverages the manufacturing process to embed a physical logic bomb that can be triggered with specific stimuli to change the physical and mechanical properties of the printed objects. These changes in properties can potentially cause catastrophic operational failures when the objects are used in critical applications such as drones, prosthesis, or medical applications.
We successfully evaluated Mystique on several 3D printing case studies and showed thatMystique can evade prior countermeasures. To address this, we propose two mitigation strategies to defend against Mystique. The first solution focuses on detecting the change of materials such as filament diameters and composition before printing. A dielectric sensor circuit is designed to quantify filament diameters and concentration composition changes. The dielectric sensor can detect a change of 0.1mm in filament diameters and a change of 10% in concentration composition. The second solution attempts to detect 4D attacks by examining the printed object using imaging techniques. To be specific, we performed data-driven classification on high resolution CT images of printed objects. This detection has an accuracy of 94.6% in identifying 4D attacks in a single printing layer.
SESSION: Cryptocurrency and Side Channels
A smart contract cannot be modified once deployed. Bugs in deployed smart contracts may cause devastating consequences. For example, the infamous reentrancy bug in the DAO contract allows attackers to arbitrarily withdraw ethers, which caused millions of dollars loss. Currently, the main countermeasure against contract bugs is to thoroughly detect and verify contracts before deployment, which, however, cannot defend against unknown bugs. These detection methods also suffer from possible false negative results.
In this paper, we propose SolSaviour, a framework for repairing and recovering deployed defective smart contracts by redeploying patched contracts and migrating old contracts’ internal states to the new ones. SolSaviour consists of a voteDestruct mechanism and a TEE cluster. The voteDestruct mechanism allows contract stake holders to decide whether to destroy the defective contract and withdraw inside assets. The TEE cluster is responsible for asset escrow, redeployment of patched contracts, and state migration. Our experiment results show that SolSaviour can successfully repair vulnerabilities, reduce asset losses, and recover all defective contracts. To the best of our knowledge, we are the first to propose a defending mechanism for repairing and recovering deployed defective smart contracts.
Improving Streaming Cryptocurrency Transaction Classification via Biased Sampling and Graph Feedback
We show that knowledge of wallet addresses from the current time state of a blockchain network, such as Bitcoin, increases the performance of illicit activity detection. Based on this finding we introduce two new methods for the sampling of classifier training data so that precedence is given to transaction information from the recent past and the current time state. This sampling enables streaming classification in which a decision on the class of a transaction needs to be made based on data seen to date. Our new approach provides insight into how the dynamics of the blockchain network plays a central role in the detection of illicit transactions, and is independent of the classifier choice. Our proposed sampling methods enable graph convolution network (GCN) and random forest (RF) classifiers to better adapt to changes in the network due to significant events, such as the closure of a large ‘Darknet’ marketplace. We introduce Graphlet spectral correlation analysis for exposing the effect of such network re-organisation due to major events. Finally, based on our analysis, we propose a new two-stage random forest classifier that feeds back intermediate predictions of neighbours to improve the classification decision. Our methodology enables practical streaming classification, even in the scenario of very limited information on the feature space of each transaction.
Scalability remains one of the biggest challenges to the adoption of permissioned blockchain technologies for large-scale deployments. Namely, permissioned blockchains typically exhibit low latencies, compared to permissionless deployments—however at the cost of poor scalability. As a remedy, various solutions were proposed to capture “the best of both worlds”, targeting low latency and high scalability simultaneously. Among these, blockchain sharding emerges as the most prominent technique. Most existing sharding proposals exploit features of the permissionless model and are therefore restricted to cryptocurrency applications. A few permissioned sharding proposals exist, however, they either make strong trust assumptions on the number of faulty nodes or rely on trusted hardware or assume a static participation model where all nodes are expected to be available all the time. In practice, nodes may join and leave the system dynamically, which makes it challenging to establish how to shard and when.
In this work, we address this problem and present Mitosis, a novel approach to practically improve scalability of permissioned blockchains. Our system allows the dynamic creation of blockchains, as more participants join the system, to meet practical scalability requirements. Crucially, it enables the division of an existing blockchain (and its participants) into two—reminiscent of mitosis, the biological process of cell division. Mitosis inherits the low latency of permissioned blockchains while preserving high throughput via parallel processing. Newly created chains in our system are fully autonomous, can choose their own consensus protocol, and yet they can interact with each other to share information and assets—meeting high levels of interoperability. We analyse the security of Mitosis and evaluate experimentally the performance of our solution when instantiated over Hyperledger Fabric. Our results show that Mitosis can be ported with little modifications and manageable overhead to existing permissioned blockchains, such as Hyperledger Fabric. As far as we are aware, Mitosis emerges as the first workable and practical solution to scale existing permissioned blockchains.
Advanced RISC Machines (ARM) processors have recently gained market share in both cloud computing and desktop applications. Meanwhile, ARM devices have shifted to a more peripheral based design, wherein designers attach a number of coprocessors and accelerators to the System-on-a-Chip (SoC). By adopting a System-Level Cache, which acts as a shared cache between the CPU-cores and peripherals, ARM attempts to alleviate the memory bottleneck issues that exist between data sources and accelerators. This paper investigates emerging security threats introduced by this new System-Level Cache. Specifically, we demonstrate that the System-Level Cache can still be exploited to create a cache occupancy channel to accurately fingerprint websites. We redesign and optimize the attack for various browsers based on the ARM cache design, which can significantly reduce the attack duration while increasing accuracy. Moreover, we introduce a novel GPU contention channel in mobile devices, which can achieve similar accuracy to the cache occupancy channel. We conduct a thorough evaluation by examining these attacks across multiple devices, including iOS, Android, and MacOS with the new M1 MacBook Air. The experimental results demonstrate that (1) the System-Level Cache based website fingerprinting technique can achieve promising accuracy in both open (up to 90%) and closed (up to 95%) world scenarios, and (2) our GPU contention channel is more effective than the CPU cache channel on Android devices.
Physical isolation, so called air-gapping, is an effective method for protecting security-critical computers and networks. While it might be possible to introduce malicious code through the supply chain, insider attacks, or social engineering, communicating with the outside world is prevented. Different approaches to breach this essential line of defense have been developed based on electromagnetic, acoustic, and optical communication channels. However, all of these approaches are limited in either data rate or distance, and frequently offer only exfiltration of data. We present a novel approach to infiltrate data to air-gapped systems without any additional hardware on-site. By aiming lasers at already built-in LEDs and recording their response, we are the first to enable a long-distance (25 m), bidirectional, and fast (18.2 kbps in & 100 kbps out) covert communication channel. The approach can be used against any office device that operates LEDs at the CPU’s GPIO interface.
SESSION: Software Security 2
Rust is an emerging programming language which aims to provide both safety guarantee and runtime efficiency, and has been used extensively in system programming scenarios. However, as Rust consists of an unsafe language subset unsafe, Rust programs are still vulnerable to severe security attacks which may defeat its safety guarantees. Existing studies on Rust security focus on the detection of vulnerabilities but seldom consider the bug fix issues. Meanwhile, it is often time-consuming and error-prone for Rust developers to understand and fix bugs manually, due to Rust’s advanced language features. In this paper, we present Rupair, an automated rectification system, to detect and fix one sort of the most severe Rust vulnerabilities—buffer overflows, and to help developers release secure Rust projects. The key technical component of Rupair is a novel security oriented lightweight data-flow analysis algorithm, which makes use of Rust’s two primary intermediate representations and works across the boundary of Rust’s safe and unsafe sub-languages. To evaluate the effectiveness of Rupair, we first apply it to all 4 reported buffer overflow-related CVEs and vulnerabilities (as of June 20, 2021). Experiment results demonstrated that Rupair successfully detected and rectified all these CVEs. To testify the scalability of Rupair, we collected 36 open-source Rust projects from 8 different application domains, consisting of 5,108,432 lines of Rust source code, and applied Rupair on these projects. Experiment results showed that Rupair successfully identified 14 previously undiscovered buffer overflow vulnerabilities in these projects, and rectified all of them. Moreover, Rupair is efficient, only introduced 3.6% overhead to each rectified Rust program on average.
Rust is a programming language that simultaneously offers high performance and strong security guarantees. Safe Rust (i.e., Rust code that does not use the unsafe keyword) is memory and type safe. However, these guarantees are violated when safe Rust interacts with unsafe code, most notably code written in other programming languages, including in legacy C/C++ applications that are incrementally deploying Rust. This is a significant problem as major applications such as Firefox, Chrome, AWS, Windows, and Linux have either deployed Rust or are exploring doing so. It is important to emphasize that unsafe code is not only unsafe itself, but also it breaks the safety guarantees of ‘safe’ Rust; e.g., a dangling pointer in a linked C/C++ library can access and overwrite memory allocated to Rust even when the Rust code is fully safe.
This paper presents Galeed, a technique to keep safe Rust safe from interference from unsafe code. Galeed has two components: a runtime defense to prevent unintended interactions between safe Rust and unsafe code and a sanitizer to secure intended interactions. The runtime component works by isolating Rust’s heap from any external access and is enforced using Intel Memory Protection Key (MPK) technology. The sanitizer uses a smart data structure that we call pseudo-pointer along with automated code transformation to avoid passing raw pointers across safe/unsafe boundaries during intended interactions (e.g., when Rust and C++ code exchange data). We implement and evaluate the effectiveness and performance of Galeed via micro- and macro-benchmarking, and use it to secure a widely used component of Firefox.
Today, Machine Learning (ML) techniques are increasingly used to detect abnormal behaviours of industrial applications. Since many of these applications are moving to the cloud environments, classical ML approaches are facing new challenges in accurately identifying abnormal behaviours due to the highly dynamic and heterogeneous nature of the cloud. In this paper, we propose a novel framework, DistAppGaurd, for profiling simultaneously the behaviour of all microservice components of a distributed application in the cloud. The framework can therefore, detect complex attacks that are not observable by monitoring a single process or a single microservice. DistAppGaurd utilizes the system calls executed by all the processes of an application to build a graph consisting of data exchanges among different application entities (e.g., processes and files) representing the behaviour of the application. This representation is then used by our novel miroservice-aware Autoencoder model to perform anomaly detection at runtime. The efficiency and feasibility of our approach is shown by implementing several different real-world attacks, which yields high detection rates (94%-97%) at 0.01% false alarm rate.
ICS3Fuzzer: A Framework for Discovering Protocol Implementation Bugs in ICS Supervisory Software by Fuzzing
The supervisory software is widely used in industrial control systems (ICSs) to manage field devices such as PLC controllers. Once compromised, it could be misused to control or manipulate these physical devices maliciously, endangering manufacturing process or even human lives. Therefore, extensive security testing of supervisory software is crucial for the safe operation of ICS. However, fuzzing ICS supervisory software is challenging due to the prevalent use of proprietary protocols. Without the knowledge of the program states and packet formats, it is difficult to enter the deep states for effective fuzzing.
In this work, we present a fuzzing framework to automatically discover implementation bugs residing in the communication protocols between the supervisory software and the field devices. To avoid heavy human efforts in reverse-engineering the proprietary protocols, the proposed approach constructs a state-book based on the readily-available execution trace of the supervisory software and the corresponding inputs. Then, we propose a state selection algorithm to find the protocol states that are more likely to have bugs. Our fuzzer distributes more budget on those interesting states. To quickly reach the interesting states, traditional snapshot-based method does not work since the communication protocols are time sensitive. We address this issue by synchronously managing external events (GUI operations and network traffic) during the fuzzing loop. We have implemented a prototype and used it to fuzz the supervisory software of four popular ICS platforms. We have found 13 bugs and received 3 CVEs, 2 are classified as critical (CVSS3.x score CRITICAL 9.8) and affected 40 different products.
argXtract: Deriving IoT Security Configurations via Automated Static Analysis of Stripped ARM Cortex-M Binaries
Recent high-profile attacks on the Internet of Things (IoT) have brought to the forefront the vulnerabilities in “smart” devices, and have revealed poor device configuration to be the root cause in many cases. This has resulted in IoT technologies and devices being subjected to numerous security analyses. For the most part, automated analyses have been confined to IoT hub or gateway devices, which tend to feature traditional operating systems such as Linux or VxWorks. However, most IoT peripherals, by their very nature of being resource-constrained, lacking traditional operating systems, implementing a wide variety of communication technologies, and (increasingly) featuring the ARM Cortex-M architecture, have only been the subject of smaller-scale analyses, typically confined to a certain class or brand of device. We bridge this gap with argXtract, a framework for performing automated static analysis of stripped Cortex-M binaries, to enable bulk extraction of security-relevant configuration data. Through a case study of 200+ Bluetooth Low Energy binaries targeting Nordic Semiconductor chipsets, as well as smaller studies against STMicroelectronics BlueNRG binaries and Nordic ANT binaries, argXtract has discovered widespread security and privacy issues in IoT, including minimal or no protection for data, weakened pairing mechanisms, and potential for device and user tracking.
SESSION: Wireless Security
OFDM is a widely used modulation scheme. It transmits data over multiple subcarriers in parallel, which provides high resilience against frequency-dependent channel drops (fading) and achieves high throughput. Due to the proliferation of OFDM-enabled devices and the increasing need for location information, the research community has suggested using OFDM symbols for secure (time-of-flight) distance measurements. However, a consequence of relying on multiple subcarriers is long symbols (time-wise). This makes OFDM systems not a natural fit for secure ranging, as long symbols allow an attacker longer observation and reaction times to mount a so-called early-detect/late-commit attack. Despite these concerns, a recent standardization effort (IEEE 802.11az ) envisions the use of OFDM-based signals for secure ranging. This paper lays the groundwork for analyzing OFDM time-of-flight measurements and studies the security guarantees of OFDM-based ranging against a physical-layer attacker. We use BPSK and 4-QAM, the most robust configurations, as examples to present a strategy that increases the chances for early-detecting the transmitted symbols. Our theoretical analysis and simulations show that such OFDM systems are vulnerable to early-detection/late-commit attacks, irrespective of frame length and number of subcarriers. We identify the underlying causes and explore a possible countermeasure, consisting of orthogonal noise and randomized phase.
Mobility management in the cellular networks plays a significant role in preserving mobile services with minimal latency while a user is moving. To support this essential functionality the cellular networks rely on the handover procedure. Most often, the User Equipment (UE) provides signal measurements to the network via reports to facilitate the handover decision when it discovers a more suitable base station. These measurement reports are cryptographically protected. In this paper, we examine the cellular specification and illustrate that this crucial functionality has critical security implications. To the best of our knowledge, this is the first work on cellular Man-In-The-Middle attacks based on the handover procedure. In particular, we demonstrate a new type of fake base station attacks in which the handover procedures, based on the encrypted measurement reports and signal power thresholds, are vulnerable. An attacker who sets up a false base station mimicking a legitimate one can utilize the vulnerabilities in the handover procedure to cause Denial-Of-Service attacks, Man-In-The-Middle attacks, and information disclosure affecting the user as well as the operator. Therefore, users’ privacy and service availability are jeopardized. Through rigorous experimentation, we uncover the vulnerable parts of the handover procedure, a comprehensive attacker methodology, and attack requirements. We largely focus on the 5G network showing that handover vulnerabilities remain unmitigated to date. Finally, we assess the impact of the handover attacks, and carefully present potential countermeasures that can be used against them.
Time to Rethink the Design of Qi Standard? Security and Privacy Vulnerability Analysis of Qi Wireless Charging
With the ever-growing deployment of Qi wireless charging for mobile devices, the potential impact of its vulnerabilities is an increasing concern. In this paper, we conduct the first thorough study to explore its potential security and privacy vulnerabilities. Due to the open propagation property of electromagnetic signals as well as the non-encrypted Qi communication channel, we demonstrate that the Qi communication established between the charger (i.e., a charging pad) and the charging device (i.e., a smartphone) could be non-intrusively interfered with and eavesdropped. In particular, we build two types of attacks: 1) Hijacking Attack: through stealthily placing an ultra-thin adversarial coil on the wireless charger’s surface, we show that an adversary is capable of hijacking the communication channel via injecting malicious Qi messages to further control the entire charging process as they desire; and 2) Eavesdropping Attack: by sticking an adversarial coil underneath the surface (e.g., a table) on which the charger is placed, the adversary can eavesdrop Qi messages and further infer the device’s running activities while it is being charged. We validate these proof-of-concept attacks using multiple commodity smartphones and 14 commonly used calling and messaging apps. The results show that our designed hijacking attack can cause overcharging, undercharging, and paused charging, etc., potentially leading to more significant damage to the battery (e.g., overheating, reducing battery life, or explosion). In addition, the designed eavesdropping attack can achieve a high accuracy in detecting and identifying the running app activities (e.g., over 95.56% and 85.80% accuracy for calling apps and messaging apps, respectively). Our work brings to light a fundamental design vulnerability in the currently-deployed wireless charging architecture, which may put people’s security and privacy at risk while wirelessly recharging their smartphones.
Although spearphishing is a well-known security issue and has been widely researched, it is still an evolving threat with emerging forms. In recent years, Short Message Service (SMS) has been revealed as a new distribution channel for spearphishing messages, which already has caused a serious impact in the real world, but has not yet attracted enough attention from the academic community. In this paper, we report the first systemic study to spotlight this emerging threat, SMS spearphishing attack. Through cooperating with a leading security vendor, we obtain 31.96M real-world spam messages that span three months. We design and implement a novel NLP-based detection algorithm, and uncover 90,801 spearphishing messages on the entire dataset. And then, a large-scale measurement was performed on the detected messages to reveal and understand the characteristics of SMS spearphishing attack. Our findings are multi-fold. We discover that SMS spearphishing has a significant negative impact on the real-world, and a large number of victims have been affected. And the distribution of active illicit types between spearphishing message and common spam is quite inconsistent. At the micro-level, to evade detection and increase the probability of success, adversary campaigns have evolved a set of sophisticated strategies. Our research highlights the impact of SMS spearphishing attack is prominent. We call on different communities to work together to mitigate this emerging security threat.
SESSION: Smart Apps
Mobile crowdsourcing services (MCS), enable fast and economical data acquisition at scale and find applications in a variety of domains. Prior work has shown that Foursquare and Waze (a location-based and a navigation MCS) are vulnerable to different kinds of data poisoning attacks. Such attacks can be upsetting and even dangerous especially when they are used to inject improper inputs to mislead users. However, to date, there is no comprehensive study on the extent of improper input validation (IIV) vulnerabilities and the feasibility of their exploits in MCSs across domains. In this work, we leverage the fact that MCS interface with their participants through mobile apps to design tools and new methodologies embodied in an end-to-end feedback-driven analysis framework which we use to study 10 popular and previously unexplored services in five different domains. Using our framework we send tens of thousands of API requests with automatically generated input values to characterize their IIV attack surface. Alarmingly, we found that most of them (8/10) suffer from grave IIV vulnerabilities which allow an adversary to launch data poisoning attacks at scale: 7400 spoofed API requests were successful in faking online posts for robberies, gunshots, and other dangerous incidents, faking fitness activities with supernatural speeds and distances among many others. Lastly, we discuss easy to implement and deploy mitigation strategies which can greatly reduce the IIV attack surface and argue for their use as a necessary complementary measure working toward trustworthy mobile crowdsourcing services.
Stalkerware enables individuals to conduct covert surveillance on a targeted person’s device. Android devices are a particularly fertile ground for stalkerware, most of which spy on a single communication channel, sensor, or category of private data, though 27% of stalkerware surveil multiple of private data sources. We present Dosmelt, a system that enables stalkerware warnings that precisely characterize the types of surveillance conducted by Android stalkerware so that surveiled individuals can take appropriate mitigating action. Our methodology uses active learning in a semi-supervised learning setting to tackle this task at scale, which would otherwise require expert labeling of significant number of stalkerware apps. Dosmelt leverages the observation that stalkerware differs from other categories of spyware in its open advertising of its surveillance capabilities, which we detect on the basis of the titles and self-descriptions of stalkerware apps that are posted on Android app stores. Dosmelt achieves up to 96% AUC for stalkerware detection with a 91% Macro-F1 score of surveillance capability attribution for stalkerware apps. Dosmelt has detected hundreds of new stalkerware apps that we have added to the Stalkerware Threat List.
A growing trend in repackaging attacks exploits the Android virtualization technique, in which malicious code can run together with the victim app in a virtual container. In such a scenario, the attacker can directly build a malicious container capable of hosting the victim app instead of tampering with it, thus neglecting any anti-repackaging protection developed so far. Also, existing anti-virtualization techniques are ineffective since the malicious container can intercept - and tamper with - such controls at runtime. So far, only two solutions have been specifically designed to address virtualization-based repackaging attacks. However, their effectiveness is limited since they both rely on static taint analysis, thus not being able to evaluate code dynamically loaded at runtime.
To mitigate such a problem, in this paper we introduce MARVEL, the first methodology that allows preventing both traditional and virtualization-based repackaging attacks. MARVEL strongly relies on the virtualization technique to build a secure virtual environment where protected apps can run and be checked at runtime. To assess the viability and reliability of MARVEL, we implemented it in a tool, i.e., MARVELoid, that we tested by protecting 4000 apps with 24 different configurations of the protection parameters (i.e., 96k protection combinations). MARVELoid was able to inject the protection into 97.3% of the cases, with a processing time of 98 seconds per app on average. Moreover, we evaluated the runtime overhead on 45 apps, showing that the introduced protection has a negligible impact in terms of average CPU (<5%) and memory overhead (<0.5%).
Existing symbolic execution typically assumes the analyzer can control the I/O environment and/or access the library code, which, however, is not the case when programs run on a remote proprietary execution environment managed by another party. For example, SmartThings, one of the most popular IoT platforms, is such a cloud-based execution environment. For programmers who write automation applications to be deployed on IoT cloud platforms, it raises significant challenges when they want to systematically test their code and find bugs. We propose fuzzing-assisted remote dynamic symbolic execution, which uses dynamic symbolic execution as backbone and utilizes fuzzing when necessary to automatically test programs running in a remote proprietary execution environment over which the analyzer has little control. As a case study, we enable it for analyzing smart apps running on SmartThings. We have developed a prototype and the evaluation shows that it is effective in testing smart apps and finding bugs.
Password managers help users more effectively manage their passwords, encouraging them to adopt stronger passwords across their many accounts. In contrast to desktop systems where password managers receive no system-level support, mobile operating systems provide autofill frameworks designed to integrate with password managers to provide secure and usable autofill for browsers and other apps installed on mobile devices. In this paper, we evaluate mobile autofill frameworks on iOS and Android, examining whether they achieve substantive benefits over the ad-hoc desktop environment or become a problematic single point of failure. Our results find that while the frameworks address several common issues, they also enforce insecure behavior and fail to provide password managers sufficient information to override the frameworks’ insecure behavior, resulting in mobile managers being less secure than their desktop counterparts overall. We also demonstrate how these frameworks act as a confused deputy in manager-assisted credential phishing attacks. Our results demonstrate the need for significant improvements to mobile autofill frameworks. We conclude the paper with recommendations for the design and implementation of secure autofill frameworks.
SESSION: Internet Traffic
Traffic analysis is essential to network security by enabling the correlation of encrypted network flows; in particular, traffic analysis has been used to detect stepping stone attackers and de-anonymize anonymous connections. A modern type of traffic analysis is flow fingerprinting, which works by slightly perturbing network flows to embed secret information into the flows that later can be used for traffic analysis. It is shown that flow fingerprinting enables the use of traffic analysis in a wide range of applications. In this paper, we introduce an effective flow fingerprinting technique by leveraging neural networks. Specifically, our system uses a fully connected network to generate slight perturbations that are then added to the live flows to fingerprint them. We show that our fingerprinting system offers reliable performance in the different network settings, outperforming the state-of-the-art. We also enforce an invisibility constraint in generating our flow fingerprints and use GAN to generate fingerprinting delays with Laplacian distribution to make it similar to natural network jitter. Therefore, we show that our fingerprinted flows are highly indistinguishable from benign network flows.
MAppGraph: Mobile-App Classification on Encrypted Network Traffic using Deep Graph Convolution Neural Networks
Identifying mobile apps based on network traffic has multiple benefits for security and network management. However, it is a challenging task due to multiple reasons. First, network traffic is encrypted using an end-to-end encryption mechanism to protect data privacy. Second, user behavior changes dynamically when using different functionalities of mobile apps. Third, it is hard to differentiate traffic behavior due to common shared libraries and content delivery within modern mobile apps. Existing techniques managed to address the encryption issue but not the others, thus achieving low detection/classification accuracy. In this paper, we present MAppGraph, a novel technique to classify mobile apps, addressing all the above issues. Given a chunk of traffic generated by an app, MAppGraph constructs a communication graph whose nodes are defined by tuples of IP address and port of the services connected by the app, edges are established by the weighted communication correlation among the nodes. We extract information from packet headers without analyzing encrypted payload to form feature vectors of the nodes. We leverage deep graph convolution neural networks to learn the diverse communication behavior of mobile apps from a large number of graphs and achieve a fast classification. To validate our technique, we collect traffic of a hundred mobile apps on the Android platform and run extensive experiments with various experimental scenarios. The results show that MAppGraph significantly improves classification accuracy by up to 20% compared to recently developed techniques and demonstrates its practicality for security and network management of mobile services.
To protect themselves from attacks, networks need to enforce ingress filtering, i.e., block inbound packets sent from spoofed IP addresses. Although this is a widely known best practice, it is still not clear how many networks do not block spoofed packets. Inferring the extent of spoofability at Internet scale is challenging and despite multiple efforts the existing studies currently cover only a limited set of the Internet networks: they can either measure networks that operate servers with faulty network-stack implementations, or require installation of the measurement software on volunteer networks, or assume specific properties, like traceroute loops. Improving coverage of the spoofing measurements is critical.
In this work we present the Spoofing Mapper (SMap): the first scanner for performing Internet-wide studies of ingress filtering. SMap evaluates spoofability of networks utilising standard protocols that are present in almost any Internet network. We applied SMap for Internet-wide measurements of ingress filtering: we found that 69.8% of all the Autonomous Systems (ASes) in the Internet do not filter spoofed packets and found 46880 new spoofable ASes which were not identified in prior studies. Our measurements with SMap provide the first comprehensive view of ingress filtering deployment in the Internet as well as remediation in filtering spoofed packets over a period of two years until May 2021.
We set up a web service at https://smap.cad.sit.fraunhofer.de to perform continual Internet-wide data collection with SMap and display statistics from spoofing evaluation. We make our datasets as well as the SMap (implementation and the source code) publicly available to enable researchers to reproduce and validate our results, as well as to continually keep track of changes in filtering spoofed packets in the Internet.
With the development of cryptocurrencies’ market, the problem of cryptojacking, which is an unauthorized control of someone else’s computer to mine cryptocurrency, has been more and more serious. Existing cryptojacking detection methods require to install anti-virus software on the host or load plug-in in the browser, which are difficult to deploy on enterprise or campus networks with a large number of hosts and servers. To bridge the gap, we propose MineHunter, a practical cryptomining traffic detection algorithm based on time series tracking. Instead of being deployed at the hosts, MineHunter detects the cryptomining traffic at the entrance of enterprise or campus networks. Minehunter has taken into account the challenges faced by the actual deployment environment, including extremely unbalanced datasets, controllable alarms, traffic confusion, and efficiency. The accurate network-level detection is achieved by analyzing the network traffic characteristics of cryptomining and investigating the association between the network flow sequence of cryptomining and the block creation sequence of cryptocurrency. We evaluate our algorithm at the entrance of a large office building in a campus network for a month. The total volumes exceed 28 TeraBytes. Our experimental results show that MineHunter can achieve precision of 97.0% and recall of 99.7%.
This paper addresses a novel anti-spam gateway targeting multiple linguistic-based social platforms to expose the outlier property of their spam messages uniformly for effective detection. Instead of labeling ground truth datasets and extracting key features, which are labor-intensive and time-consuming, we start with coarsely mining seed corpora of spams and hams from the target data (aiming for spam classification), before reconstructing them as the reference. To catch each word’s rich information in the semantic and syntactic perspectives, we then leverage the natural language processing (NLP) model to embed each word into the high-dimensional vector space and use a neural network to train a spam word model. After that, each message is encoded by using the predicted spam scores from this model for all included stem words. The encoded messages are processed by the prominent outlier techniques to produce their respective scores, allowing us to rank them for making the outlier visible. Our solution is unsupervised, without relying on specifics of any platform or dataset, to be platform-oblivious. Through extensive experiments, our solution is demonstrated to expose spammers’ outlier characteristics effectively, outperform all examined unsupervised methods in almost all metrics, and may even better supervised counterparts.