NDSS 2014 – Programme
Sunday, February 23
8:00 am – 7:00 pm
9:00 am – 5:00 pm
9:00 am – 5:00 pm
6:00 pm – 7:00 pm
Monday, February 24
|7:30 am –
|7:30 am – 8:30 am
|8:30 am – 9:00 am
|Welcome and Opening Remarks
|9:00 am – 10:00 am
|Hacking the Human: The Science of Human Pentesting Perfected (Christopher Hadnagy, Chief Human Hacker, Social-Engineer, Inc.)
|10:30 am – 12:10 pm
|Session 1: Network Security
|12:10 pm – 1:10 pm
|1:10 pm – 2:50 pm
|Session 2: Software and System Security
|3:20 pm – 5:00 pm
|Session 3: Security of Mobile Devices I
|7:00 pm – 9:00 pm
|Reception with Posters
Tuesday, February 25
|7:30 am – 8:30 am
|8:30 am — 10:10 am
|Session 4: Web Security
|10:30 am – 12:10 pm
|Session 5: Privacy
|12:10 pm – 1:10 pm
|1:10 pm — 2:10 pm
|Session 6: Authentication and Identity I
|2:30 pm — 3:50 pm
|Session 7: Crypto I
|4:10 pm — 5:30 pm
|Session 8: Authentication and Identity II
|7:00 pm – 9:00 pm
Wednesday, February 26
|7:30 am – 8:30 am
|8:30 am – 10:10 am
|Session 9: New Applications, Attacks, and Security Economics
|10:30 am – 12:10 pm
|Session 10: Security of Mobile Devices II
|12:10 pm – 1:10 pm
|1:10 pm – 2:50 pm
|Session 11: Malware
|3:20 pm – 4:40 pm
|Session 12: Crypto II
|Closing Remarks and Final Prize Drawing
Hacking the Human: The Science of Human Pentesting Perfected
Chief Human Hacker
Chris Hadnagy, aka loganWHD, is the President and CEO of Social-Engineer, Inc. He specializes in understanding the ways in which malicious attackers are able to exploit human weaknesses to obtain access to information and resources through manipulation and deceit. He has been in security and technology for over 16 years.
Chris is a graduate of Dr. Paul Ekman’s courses in Microexpressions, having passed the certification requirements with an “Expert Level” grade. He also has significant experience in training and educating students in non-verbal communications. He also hold certifications as an Offensive Security Certified Professional (OSCP) and an Offensive Security Wireless Professional (OSWP).
Chris has written a number of articles for local, national, and international publications and journals to include Pentest Mag, EthicalHacker.net, and local and national Business Journals. In addition, he is the author of the best-selling book, Social Engineering: The Art of Human Hacking.
Chris has developed one of the web’s most successful security podcasts. The Social-Engineer.Org Podcast spends time each month analyzing an individual who must use influence and persuasion in their daily lives. By dissecting their choices and actions, we can learn to enhance our abilities. That same analysis applies to the equally-popular SEORG Newsletter. Over the years, both have become a staple in most serious security practices and are used by Fortune 500 companies around the world to educate their staff.
Session Chair: Guofei Gu
We systematically explore the widely held, anecdotal belief that mismanaged networks are responsible for a wide range of security incidents. Utilizing Internet-scale measurements and global feeds of malicious activities, we show a statistically significant correlation between mismanaged networks and networks that are responsible for malicious behavior on the Internet.
Jing Zhang; Zakir Durumeric; Michael Bailey; Manish Karir; Mingyan Liu
Decoy routing systems circumvent censorship by relying on cooperating ISPs in the middle of the Internet. A recent study suggested that censors can defeat decoy routing by manipulating interdomain routes. We analyze the costs of launching this attack and quantify its negative impact on the networks in the censoring region.
Amir Houmansadr; Edmund Wong; Vitaly Shmatikov
In this work, we show two attacks on cellular data accounting systems where a user is either overcharged with spurious TCP retransmission or uses the service for free via TCP tunneling. We propose Abacus, an accurate accounting system that detects TCP tunneling attacks even in the 10 Gbps networks.
Younghwan Go; Jongil Won; Denis Foo Kune; EunYoung Jeong; Yongdae Kim; KyoungSoo Park
CyberProbe implements a novel active probing approach for detecting malicious servers and compromised hosts that listen for network requests. It sends probes to remote hosts and examines their responses, determining whether they are malicious. CyberProbe has identified 151 malicious servers and 7,881 P2P bots through 24 localized and Internet-wide scans.
Antonio Nappa; Zhaoyan Xu; M. Zubair Rafique; Juan Caballero; Guofei Gu
We revisit 14 popular UDP-based protocols of network services, online games, P2P filesharing networks and P2P botnets, all of which are vulnerable to amplification DDoS attacks. We leverage traffic analysis to detect attack victims and amplifiers, showing that attackers already started to abuse amplification-vulnerable protocols other than DNS.
Session Chair: Dongyan Xu
ROPecker achieves both high detection accuracy and efficiency in ROP defense, without relying on source code, special compiler, or binary rewriting. A sliding window mechanism invokes the run-time detection in proper timings, which identifying sufficiently long chains of gadgets in both past and future execution flows.
Yueqiang Cheng; Zongwei Zhou; Miao Yu; Xuhua Ding; Robert H. Deng
Attackers can leverage security vulnerabilities in control systems to make physical processes behave unsafely. We present the Trusted Safety Verifier (TSV), a minimal TCB for the verification of safety-critical code executed on programmable controllers. No controller code is allowed to be executed before it passes physical safety checks by TSV.
Stephen McLaughlin; Saman Zonouz; Devin Pohly; Patrick Drew McDaniel
In this paper we present AVATAR, a framework that enables complex dynamic analysis of embedded devices, orchestrating firmware emulation together with real hardware. We demonstrate its utility by performing symbolic execution and vulnerability analysis of several devices, including a hard-disk controller, a GSM feature phone and a wireless sensor node.
Jonas Zaddach; Luca Bruno; Aurélien Francillon; Davide Balzarotti
We present SafeDispatch, a defense to prevent C++ vtable hijacking attacks that take over the control flow of a program via corrupted vtable pointers. SafeDispatch inserts dynamic checks to ensure that virtual call targets are type-safe based on class-hierarchy information. Chromium hardened with SafeDispatch has 2.1% runtime overhead after optimizations.
Dongseok Jang; Zachary Tatlock; Sorin Lerner
Hybrid-Bridge: Efficiently Bridging the Semantic-Gap in VMI via Decoupled Execution and Training Memoization
Recent advances show that we can reuse the legacy binary code to bridge the semantic gap for VMI. However, existing solutions often have high overhead. This paper presents Hybrid-Bridge, a new system that uses decoupled execution and training memorization to bridge the semantic-gap, resulting in one order of magnitude faster according to our experimental results.
Alireza Saberi; Yangchun Fu; Zhiqiang Lin
Session Chair: XiaoFeng Wang
Many third-party Android apps such as screenshot and USB tethering require access to critical system resources. A typical way to do so is using Android Debug Bridge (ADB). However, we find that such ADB-level capabilities are not well guarded by Android. We further present Screenmilker, a situation-aware app that exploits these capabilities to stealthily extract users’ passwords in real time.
Chia-Chi Lin; Hongyang Li; Xiaoyong Zhou; XiaoFeng Wang
This paper shows that accelerometers on smartphones possess unique fingerprints, i.e., they respond differently to the same stimulus. The differences in responses are subtle enough that they do not affect the rated functionality. Nonetheless, we demonstrate that, upon close inspection, these fingerprints emerge with consistency, enabling user tracking without cookies.
Sanorita Dey; Nirupam Roy; Wenyuan Xu; Romit Roy Choudhury; Srihari Nelakuditi
Trustworthy location statements from a smartphone trusted execution environment (TEE) enable secure second-factor authentication for point-of-sale payments. We provide two user device enrollment solutions that are resistant against powerful but realistic adversaries. A city-wide field study shows the applicability of the proposed second-factor authentication mechanism.
Claudio Marforio; Nikolaos Karapanos; Claudio Soriente; Kari Kostiainen; Srdjan Capkun
Hybrid application frameworks introduce new browser APIs that let Web applications access native resources on mobile devices. We analyze inconsistencies between access control policies at different levels of the hybrid software stack, demonstrate how they expose native resources to malicious Web content, and propose a defense.
Martin Georgiev; Suman Jana; Vitaly Shmatikov
We found that today’s Android design allows an app with a Bluetooth permission to gain unauthorized access to any Bluetooth devices (particularly healthcare devices) and also misbind the phone with an attack device to inject data to the official apps of the original devices. We also developed an OS-level protection to address this new challenge.
Muhammad Naveed; Xiaoyong Zhou; Soteris Demetriou; XiaoFeng Wang; Carl Gunter
Session Chair: Yan Chen
In a process known as spinning, spammers bypass duplicate spam detection by replacing words or phrases in an article to create new articles with similar meaning. We propose DSpin, a technique to detect spinning, and use it to evaluate the prevalence of spun content in abused wikis and article directories.
Qing Zhang; David Y. Wang; Geoffrey M. Voelker
In this paper we present a black-box testing technique to detect logic vulnerabilities in web applications. Our technique is based on the automatic identification of a number of behavioral patterns starting from few network traces in which users interact with a certain application’s functionality. Based on the extracted model, we then generate targeted test cases following a number common attacks patterns. We applied our technique against seven eCommerce web applications detecting 10 previously-unknown logic flaws.
Giancarlo Pellegrino; Davide Balzarotti
Macaroons are authorization credentials whose efficiency and ease-of-deployment equal that of Web cookies, thanks to their chained-HMAC construction. Unlike cookies, macaroons support efficient, widely-applicable forms of decentralized delegation, with expressiveness that rivals public-key-based mechanisms like SPKI/SDSI. Thus, macaroons can flexibly confine how, by whom, and in what context, authority can be exercised.
Arnar Birgisson; Joe Politz; Ulfar Erlingsson; Ankur Taly; Michael Vrable; Mark Lentczner
This paper describes the first technique to statically detect logic vulnerabilities in e-commerce applications. It formulates a general notion of correct payment logic and validates proper conformance via symbolic execution and taint analysis. A prototype implementation has revealed 11 new, easily exploitable vulnerabilities in widely-deployed open-source e-commerce software.
Fangqi Sun; Liang Xu; Zhendong Su
PHP is the most popular and diverse scripting language on the Web. We introduce a new static code analyzer that precisely models built-in PHP features and their interaction. Our evaluation shows that this is the key for vulnerability detection in modern applications.
Johannes Dahse; Thorsten Holz
Session Chair: Jacob Lorch
We extend “certificate transparency” so that it efficiently handles certificate revocation. We show how this extension can be used to build a secure end-to-end email or messaging system using PKI with no requirement to trust certificate authorities, or to rely on complex peer-to-peer key- signing arrangements such as PGP.
Mark D. Ryan
We show that real implementations of the pseudonym changing mechanism do not achieve the intended privacy goals and that it is possible to exploit the TMSI reallocation procedure to track mobile telephony users. We propose countermeasures to tackle the exposed vulnerabilities and formally prove a sufficient condition to provide unlinkability.
Loretta Ilaria Mancini; Myrto Arapinis; Mark Ryan; Eike Ritter
Continuous monitoring of distributed data streams is a difficult challenge in privacy research, since with any new information exchange, the cost in privacy accumulates. In this paper, we study the relationship between communication efficiency and privacy loss, and present a general framework that enables monitoring arbitrary functions over statistics derived from distributed data streams in a privacy-preserving way.
Arik Friedman; Izchak Sharfman; Daniel Keren; Assaf Schuster
We present a memory-based denial-of-service (DoS) attack that exploits Tor’s flow control algorithm to remotely kill a Tor relay’s process. We show how the attack may be used to deanonymize hidden services while presenting defenses that provably render the attack ineffective and protect hidden services against DoS attacks in general.
Rob Jansen; Florian Tschorsch; Aaron Johnson; Björn Scheuermann
This paper studies how personal data is exchanged by advertising companies via Real Time Bidding (RTB) and Cookie Matching. We show that a large proportion of users’ web histories leaks to 3rd-party companies through RTB, and that users’ browsing history elements are routinely being sold off for less than $0.0005.
Claude Castelluccia; Lukasz Olejnik; Minh-Dung Tran
Session Chair: Apu Kapadia
We investigate how an attacker can leverage leaked passwords from one site to more easily guess passwords at other sites. Our study found 42-51% of the users reusing the same password across multiple sites. We further identify few transformation rules that users employ to modify a basic password between sites which can be exploited by an attacker to make password guessing vastly easier.
Anupam Das; Joseph Bonneau; Matthew Caesar; Nikita Borosiv; Xiaofeng wang
We present the ﬁrst framework for segmentation, semantic classiﬁcation and generalization of passwords and demonstrate how probabilistic grammars encoding the semantics of password samples can lead to better cracking results than the state-of-the-art method. In sessions of 3 billion guesses, we guess approximately 67% more passwords from the LinkedIn leak and 32% more passwords from the MySpace leak.
Rafael Veras; Christopher Collins; Julie Thorpe
We analyze password-strength meters from 11 highly popular web services by reverse-engineering their functionality, and testing them against nearly 4 million passwords from common dictionaries. Our results provide prominent characteristics of these meters, and show severe inconsistencies in strength outcomes that may confuse users in choosing a stronger password.
Xavier de Carné de Carnavalet; Mohammad Mannan
Session Chair: Srdjan Capkun
We present Copker, the first work that exploits on-chip cache to implement the RSA cryptosystem entirely within CPU. Copker protects private keys from attackers who have physical access to the machine (e.g., cold-boot attacks). The large size of cache allows memory-intensive algorithms, such as CRT-enabled RSA, to be implemented without RAM.
Le Guan; Jingqiang Lin; Bo Luo; Jiwu Jing
We construct an encrypted search index data structure capable of searching large datasets in microseconds. It only reveals the results of the search queries and preserves the privacy of the remaining data. Unlike prior work, we handle efficiently searching dynamically changing data while simultaneously maintaining strong privacy guarantees.
Emil Stefanov; Charalampos Papamanthou; Elaine Shi
We propose a novel anonymous credential scheme that eliminates the need for trusted credential issuers. Our approach builds on recent results in distributed anonymous e-cash and uses techniques — such as the calculation of a distributed transaction ledger — that are currently in widespread deployment in the Bitcoin payment system.
Christina Garman; Matthew Green; Ian Miers
This paper give constructions of symmetric searchable encryption with scalable performance, enabling private searching on server-held encrypted databases with tens of billions of record/keyword pairs. Our constructions are asymptotically optimal in several respects including index size and full parallelism during searching, and also demonstrate practical efficiency in our implementation.
David Cash; Joseph Jaeger; Stanislaw Jarecki; Charanjit Jutla; Hugo Krawczyk; Marcel Rosu; Michael Steiner
Session Chair: Michael Bailey
We propose a new biometric based on the human body’s response to a square pulse signal. We explore how this biometric can be used to provide secure authentication, and using a prototype setup, we show that users can be correctly identified in a matter of seconds.
Kasper B. Rasmussen; Marc Roeschlin; Ivan Martinovic; Gene Tsudik
Federated login protocols for the Web are intended to increase user security by reducing the use of passwords, however these protocols can be vulnerable to recent attacks against TLS that aim to steal bearer tokens. This paper presents two variants of the popular Persona federated login protocol that are hardened against these types of TLS attacks.
Michael Dietz; Dan S. Wallach
We present novel Two-Factor Authentication (TFA) protocols with improved resistance against online and offline attacks. We show that our TFA protocols can utilize various device-terminal channels, involving PIN entry, QR codes, or wireless communication, and we demonstrate the security, usability and deployability advantages of the resulting TFA schemes over known TFA schemes.
Maliheh Shirvanian; Stanislaw Jarecki; Nitesh Saxena; Naveen Nathan
Determining a computer’s identity is critically important, but even hosts with trusted computing hardware can be defeated by relay and impersonation attacks. Through observing USB stack timing characteristics, we leverage Android devices and machine learning techniques to detect virtualized environments, and uniquely fingerprint hosts amidst fields of identically specified machines.
Adam Bates; Ryan Leonard; Hannah Pruse; Kevin Butler; Daniel Lowd
Session Chair: Wenyuan Xu
Wearable camera products (Glass, Autographer, and Narrative among others) will inevitably collect images in sensitive spaces. We introduce PlaceAvoider, a technique to identify the fine-grained location of photo content to inform access policies. PlaceAvoider performs image analysis with local and global features along with a temporal analysis for photo streams.
Robert Templeman; Mohammed Korayem; David Crandall; Apu Kapadia
We introduce Auditable Version Control Systems (AVCS), which are VCS systems designed to function under an adversarial setting. We propose an AVCS scheme for skip delta-based VCS systems, which takes a pragmatic approach and is designed for real-world VCS systems. Our prototype built on top of Apache Subversion (SVN) shows a modest decrease in performance compared to a regular (non-secure) SVN system.
Bo Chen; Reza Curtmola
Power oversubscription is becoming a trend for data centers to host more servers. However, it also leaves data centers vulnerable to malicious workload that could cause power outages. This paper demonstrates that this new power risk is a real threat under three cloud service models and provides guidance on effective mitigation.
Zhang Xu; Haining Wang; Zichen Xu; Xiaorui Wang
To improve our understanding of Nigerian scammers’ tactics, we collect three months of data using our automated scambaiter system which posts honeypot ads on Craigslist and interacts with scammers. This paper presents the methods and prevalence of scammers along with linking a large number of scams to ten groups located in Nigeria.
Youngsam Park; Jackie Jones; Damon McCoy; Elaine Shi; Markus Jakobsson
Botmasters have experimented with many different mechanisms for monetizing compromised user PCs over the years. The past 18 months, however, have seen the rise of a particularly direct method: printing money—Bitcoin, to be exact. This paper presents the first large-scale study of the methods, prevalence, and effectiveness of Bitcoin-mining botnets.
Danny Yuxing Huang; Hitesh Dharmdasani; Sarah Meiklejohn; Vacha Dave; Chris Grier; Damon McCoy; Stefan Savage; Alex C. Snoeren; Nicholas Weaver; Kirill Levchenko
Session Chair: Engin Kirda
In this paper we propose SUSI, a novel machine-learning guided approach for identifying and categorizing previously unknown privacy-sensitive sources and sinks directly from the code of any Android API (e.g., Android 4.3 or GoogleGlass). Our results improve both static and dynamic analysis tools in detecting malicious information flows more completely.
Steven Arzt; Siegfried Rasthofer; Eric Bodden
We present AirBag, a lightweight OS-level virtualization approach to enhance the popular Android platform and boost its defense capability against mobile malware infection. Assuming a trusted smartphone OS kernel, AirBag is designed to isolate and prevent malicious apps from infecting our normal systems or leaking private information.
Chiachih Wu; Yajin Zhou; Kunal Patel; Zhenkai Liang; Xuxian Jiang
SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps
Many Android apps use SSL/TLS to transmit sensitive information securely. However, developers can override the standard SSL/TLS certificate validation process, introducing vulnerabilities. In this paper, we present SMV-Hunter, a system for the automatic, large-scale identification of such vulnerabilities combining static and dynamic analysis, and evaluate it on 23,418 apps.
David Sounthiraraj; Justin Sahs; Zhiqiang Lin; Latifur Khan; Garrett Greenwood
AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications
Component hijacking is a class of Android application vulnerabilities, which can be exploited to exfiltrate sensitive information and compromise data integrity. We propose a technique for automatic patch generation. Given a vulnerable app and a discovered component hijacking vulnerability, we automatically generate a patch to disable this vulnerability.
Mu Zhang; Heng Yin
Android allows applications to load additional code from external sources at runtime. We demonstrate that this introduces vulnerabilities in a considerable number of benign applications, while it allows malware to evade offline analysis systems, such as the Google Bouncer. Finally, we propose a modification to Android to counter this threat.
Sebastian Poeplau; Yanick Fratantonio; Antonio Bianchi; Christopher Kruegel; Giovanni Vigna
Session Chair: Davide Balzarotti
In this paper, we look at the collective network traffic produced by thousands of clients, and we detect malware downloads without analyzing the downloaded programs. Instead, we study patterns that become apparent only when leaving the myopic view of individual downloads, by observing malware distribution infrastructures as sophisticated and blacklist-resilient content distribution networks.
Luca Invernizzi; Stanislav Miskovic; Ruben Torres; Sabyasachi Saha; SJ Lee; Marco Mellia; Christopher Kruegel; Giovanni Vigna
In this paper, we show that persistent data-only malware is not only possible, but also a realistic threat. To demonstrate this, we state the requirements of persistent data-only malware, discuss the challenges associated with its creation, and show how these challenges can be solved in practice.
Sebastian Vogl; Jonas Pfoh; Thomas Kittel; Claudia Eckert
We propose Drebin, a lightweight method for detection of Android malware that operates directly on the smartphone. Drebin performs a broad static analysis of Android applications and automatically identifies typical patterns of malicious activities that can be presented to the user. Empirically, Drebin outperforms related approaches and enables detecting 94% of the malware in a large dataset with few false alarms.
Daniel Arp; Michael Spreitzenbarth; Malte Hübner; Hugo Gascon; Konrad Rieck
We propose a security system called Gyrus that guarantees a system’s network-behavior is consistent with user-intent. Gyrus captures user intent from what is displayed on screen, and enforces the “What-You-See is What-You-Send” policy. Gyrus can be applied to various everyday applications (e.g., e-mail, online banking) with negligible delay to users’ interaction.
Yeongjin Jang; Simon P. Chung; Bryan D. Payne; Wenke Lee
We introduce a neuroscience-based methodology to investigate user-centered security. We present an fMRI study measuring users’ security performance and neural activity while detecting phishing websites, and heeding malware warnings. We identify the neural-markers likely governing users’ security performance, and establish relationships between brain activity, personality traits and behavioral performance, and discuss broader implications.
Ajaya Neupane; Nitesh Saxena; Keya Kuruvilla; Michael Georgescu; Rajesh Kana
Session Chair: Lujo Bauer
Recent instances of mis-issued certificates have raised concerns about certification authorities. We propose a PKI monitoring framework to classify certificates based on their issuance template and evaluate adherence to the CA/Browser Forum requirements. We run our analysis on a large sample of recently issued certificates.
Antoine Delignat-Lavaud; Martín Abadi; Andrew Birrell; Ilya Mironov; Ted Wobber; Yinglian Xie
Traditionally, there have been two cryptographic techniques for hiding a client’s access pattern from an untrusted server: Private Information Retrieval, which involves expensive computation, and Oblivious RAM, which requires significant communication overhead. We present a hybrid system, using ideas from both, which overcomes the individual weaknesses of each to obtain significantly increased efficiency.
Travis Mayberry; Erik-Oliver Blass; Agnes Hui Chan
In contrast to cryptography, physical layer security lacks sound attack methodologies. For the latter domain, we develop the equivalence to known-plaintext attacks. To evaluate the attack’s efficacy in theory and practice, we apply our attack and break orthogonal blinding, a scheme to increase the confidentiality of wireless communications.
Matthias Schulz; Adrian Loch; Matthias Hollick
TLS client certificate authentication has significant security advantages over HTML form-based password authentication. In this paper we discuss practical security and usability issues related to TLS client certificate authentication. We complement our paper with a measurement study performed in Estonia where TLS client certificate authentication is widely used.