Sunday, February 23
8:00 am – 7:00 pm
9:00 am – 5:00 pm
9:00 am – 5:00 pm
6:00 pm – 7:00 pm
Welcome Drink
Monday, February 24
7:30 am – Registration
7:30 am – 8:30 am Continental Breakfast
8:30 am – 9:00 am Welcome and Opening Remarks
9:00 am – 10:00 am Hacking the Human: The Science of Human Pentesting Perfected (Christopher Hadnagy, Chief Human Hacker, Social-Engineer, Inc.)
10:30 am – 12:10 pm Session 1: Network Security
12:10 pm – 1:10 pm  Lunch
1:10 pm – 2:50 pm Session 2: Software and System Security
3:20 pm – 5:00 pm Session 3: Security of Mobile Devices I
7:00 pm – 9:00 pm Reception with Posters
Tuesday, February 25
7:30 am – 8:30 am Continental Breakfast
8:30 am — 10:10 am Session 4: Web Security
10:30 am – 12:10 pm Session 5: Privacy
12:10 pm – 1:10 pm  Lunch
1:10 pm — 2:10 pm Session 6: Authentication and Identity I
2:30 pm — 3:50 pm Session 7: Crypto I
4:10 pm — 5:30 pm Session 8: Authentication and Identity II
7:00 pm – 9:00 pm Buffet Dinner
Wednesday, February 26
7:30 am – 8:30 am Continental Breakfast
8:30 am – 10:10 am Session 9: New Applications, Attacks, and Security Economics
10:30 am – 12:10 pm Session 10: Security of Mobile Devices II
12:10 pm – 1:10 pm  Lunch
1:10 pm – 2:50 pm  Session 11: Malware
3:20 pm – 4:40 pm Session 12: Crypto II
4:40 pm Closing Remarks and Final Prize Drawing


Hacking the Human:  The Science of Human Pentesting Perfected

Christopher Hadnagy
Chief Human Hacker
Social-Engineer, Inc.

Chris Hadnagy, aka loganWHD, is the President and CEO of Social-Engineer, Inc. He specializes in understanding the ways in which malicious attackers are able to exploit human weaknesses to obtain access to information and resources through manipulation and deceit. He has been in security and technology for over 16 years.

Chris is a graduate of Dr. Paul Ekman’s courses in Microexpressions, having passed the certification requirements with an “Expert Level” grade. He also has significant experience in training and educating students in non-verbal communications. He also hold certifications as an Offensive Security Certified Professional (OSCP) and an Offensive Security Wireless Professional (OSWP).

Chris has written a number of articles for local, national, and international publications and journals to include Pentest Mag,, and local and national Business Journals. In addition, he is the author of the best-selling book, Social Engineering: The Art of Human Hacking.

Chris has developed one of the web’s most successful security podcasts. The Social-Engineer.Org Podcast spends time each month analyzing an individual who must use influence and persuasion in their daily lives. By dissecting their choices and actions, we can learn to enhance our abilities. That same analysis applies to the equally-popular SEORG Newsletter. Over the years, both have become a staple in most serious security practices and are used by Fortune 500 companies around the world to educate their staff.

Session 1:  Network Security

Session Chair: Guofei Gu

On the Mismanagement and Maliciousness of Networks

We systematically explore the widely held, anecdotal belief that mismanaged networks are responsible for a wide range of security incidents. Utilizing Internet-scale measurements and global feeds of malicious activities, we show a statistically significant correlation between mismanaged networks and networks that are responsible for malicious behavior on the Internet.

Jing Zhang; Zakir Durumeric; Michael Bailey; Manish Karir; Mingyan Liu

No Direction Home: The True Cost of Routing Around Decoys

Decoy routing systems circumvent censorship by relying on cooperating ISPs in the middle of the Internet.  A recent study suggested that censors can defeat decoy routing by manipulating interdomain routes. We analyze the costs of launching this attack and quantify its negative impact on the networks in the censoring region.

Amir Houmansadr; Edmund Wong; Vitaly Shmatikov

Gaining Control of Cellular Traffic Accounting by Spurious TCP Retransmission

In this work, we show two attacks on cellular data accounting systems where a user is either overcharged with spurious TCP retransmission or uses the service for free via TCP tunneling. We propose Abacus, an accurate accounting system that detects TCP tunneling attacks even in the 10 Gbps networks.

Younghwan Go; Jongil Won; Denis Foo Kune; EunYoung Jeong; Yongdae Kim; KyoungSoo Park

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers

CyberProbe implements a novel active probing approach for detecting malicious servers and compromised hosts that listen for network requests. It sends probes to remote hosts and examines their responses, determining whether they are malicious. CyberProbe has identified 151 malicious servers and 7,881 P2P bots through 24 localized and Internet-wide scans.

Antonio Nappa; Zhaoyan Xu; M. Zubair Rafique; Juan Caballero; Guofei Gu

Amplification Hell: Revisiting Network Protocols for DDoS Abuse

We revisit 14 popular UDP-based protocols of network services, online games, P2P filesharing networks and P2P botnets, all of which are vulnerable to amplification DDoS attacks. We leverage traffic analysis to detect attack victims and amplifiers, showing that attackers already started to abuse amplification-vulnerable protocols other than DNS.

Christian Rossow

Session 2:  Software and System Security

Session Chair: Dongyan Xu

ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks

ROPecker achieves both high detection accuracy and efficiency in ROP defense, without relying on source code, special compiler, or binary rewriting. A sliding window mechanism invokes the run-time detection in proper timings, which identifying sufficiently long chains of gadgets in both past and future execution flows.

Yueqiang Cheng; Zongwei Zhou; Miao Yu; Xuhua Ding; Robert H. Deng

A Trusted Safety Verifier for Process Controller Code

Attackers can leverage security vulnerabilities in control systems to make physical processes behave unsafely. We present the Trusted Safety Verifier (TSV), a minimal TCB for the verification of safety-critical code executed on programmable controllers. No controller code is allowed to be executed before it passes physical safety checks by TSV.

Stephen McLaughlin; Saman Zonouz; Devin Pohly; Patrick Drew McDaniel

AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares

In this paper we present AVATAR, a framework that enables complex dynamic analysis of embedded devices, orchestrating firmware emulation together with real hardware. We demonstrate its utility by performing symbolic execution and vulnerability analysis of several devices, including a hard-disk controller, a GSM feature phone and a wireless sensor node.

Jonas Zaddach; Luca Bruno; Aurélien Francillon; Davide Balzarotti

SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks

We present SafeDispatch, a defense to prevent C++ vtable hijacking attacks that take over the control flow of a program via corrupted vtable pointers. SafeDispatch inserts dynamic checks to ensure that virtual call targets are type-safe based on class-hierarchy information. Chromium hardened with SafeDispatch has 2.1% runtime overhead after optimizations.

Dongseok Jang; Zachary Tatlock; Sorin Lerner

Hybrid-Bridge: Efficiently Bridging the Semantic-Gap in VMI via Decoupled Execution and Training Memoization

Recent advances show that we can reuse the legacy binary code to bridge the semantic gap for VMI. However, existing solutions often have high overhead. This paper presents Hybrid-Bridge, a new system that uses decoupled execution and training memorization to bridge the semantic-gap, resulting in one order of magnitude faster according to our experimental results.

Alireza Saberi; Yangchun Fu; Zhiqiang Lin

Session 3:  Security of Mobile Devices I

Session Chair: XiaoFeng Wang

Screenmilker: How to Milk Your Android Screen for Secrets

Many third-party Android apps such as screenshot and USB tethering require access to critical system resources. A typical way to do so is using Android Debug Bridge (ADB). However, we find that such ADB-level capabilities are not well guarded by Android. We further present Screenmilker, a situation-aware app that exploits these capabilities to stealthily extract users’ passwords in real time.

Chia-Chi Lin; Hongyang Li; Xiaoyong Zhou; XiaoFeng Wang

AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable

This paper shows that accelerometers on smartphones possess unique fingerprints, i.e., they respond differently to the same stimulus. The differences in responses are subtle enough that they do not affect the rated functionality. Nonetheless, we demonstrate that, upon close inspection, these fingerprints emerge with consistency, enabling user tracking without cookies.

Sanorita Dey; Nirupam Roy; Wenyuan Xu; Romit Roy Choudhury; Srihari Nelakuditi

Smartphones as Practical and Secure Location Verification Tokens for Payments

Trustworthy location statements from a smartphone trusted execution environment (TEE) enable secure second-factor authentication for point-of-sale payments. We provide two user device enrollment solutions that are resistant against powerful but realistic adversaries. A city-wide field study shows the applicability of the proposed second-factor authentication mechanism.

Claudio Marforio; Nikolaos Karapanos; Claudio Soriente; Kari Kostiainen; Srdjan Capkun

Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks

Hybrid application frameworks introduce new browser APIs that let Web applications access native resources on mobile devices.  We analyze inconsistencies between access control policies at different levels of the hybrid software stack, demonstrate how they expose native resources to malicious Web content, and propose a defense.

Martin Georgiev; Suman Jana; Vitaly Shmatikov

Inside Job: Understanding and Mitigating the Threat of External Device Mis-Binding on Android

We found that today’s Android design allows an app with a Bluetooth permission to gain unauthorized access to any Bluetooth devices (particularly healthcare devices) and also misbind the phone with an attack device to inject data to the official apps of the original devices.  We also developed an OS-level protection to address this new challenge.

Muhammad Naveed; Xiaoyong Zhou; Soteris Demetriou; XiaoFeng Wang; Carl Gunter

Session 4:  Web Security

Session Chair: Yan Chen

DSpin: Detecting Automatically Spun Content on the Web

In a process known as spinning, spammers bypass duplicate spam detection by replacing words or phrases in an article to create new articles with similar meaning.  We propose DSpin, a technique to detect spinning, and use it to evaluate the prevalence of spun content in abused wikis and article directories.

Qing Zhang; David Y. Wang; Geoffrey M. Voelker

Toward Black-Box Detection of Logic Flaws in Web Applications

In this paper we present a black-box testing technique to detect logic vulnerabilities in web applications. Our technique is based on the automatic identification of a number of behavioral patterns starting from few network traces in which users interact with a certain application’s functionality. Based on the extracted model, we then generate targeted test cases following a number common attacks patterns. We applied our technique against seven eCommerce web applications detecting 10 previously-unknown logic flaws.

Giancarlo Pellegrino; Davide Balzarotti

Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud

Macaroons are authorization credentials whose efficiency and ease-of-deployment equal that of Web cookies, thanks to their chained-HMAC construction. Unlike cookies, macaroons support efficient, widely-applicable forms of decentralized delegation, with expressiveness that rivals public-key-based mechanisms like SPKI/SDSI. Thus, macaroons can flexibly confine how, by whom, and in what context, authority can be exercised.

Arnar Birgisson; Joe Politz; Ulfar Erlingsson; Ankur Taly; Michael Vrable; Mark Lentczner

Detecting Logic Vulnerabilities in E-commerce Applications

This paper describes the first technique to statically detect logic vulnerabilities in e-commerce applications. It formulates a general notion of correct payment logic and validates proper conformance via symbolic execution and taint analysis. A prototype implementation has revealed 11 new, easily exploitable vulnerabilities in widely-deployed open-source e-commerce software.

Fangqi Sun; Liang Xu; Zhendong Su

Simulation of Built-in PHP Features for Precise Static Code Analysis

PHP is the most popular and diverse scripting language on the Web. We introduce a new static code analyzer that precisely models built-in PHP features and their interaction. Our evaluation shows that this is the key for vulnerability detection in modern applications.

Johannes Dahse; Thorsten Holz

Session 5:  Privacy

Session Chair: Jacob Lorch

Enhanced Certificate Transparency and End-to-End Encrypted Mail

We extend “certificate transparency” so that it efficiently handles certificate revocation. We show how this extension can be used to build a secure end-to-end email or messaging system using PKI with no requirement to trust certificate authorities, or to rely on complex peer-to-peer key- signing arrangements such as PGP.

Mark D. Ryan

Privacy through Pseudonymity in Mobile Telephony Systems

We show that real implementations of the pseudonym changing mechanism do not achieve the intended privacy goals and that it is possible to exploit the TMSI reallocation procedure to track mobile telephony users. We propose countermeasures to tackle the exposed vulnerabilities and formally prove a sufficient condition to provide unlinkability.

Loretta Ilaria Mancini; Myrto Arapinis; Mark Ryan; Eike Ritter

Privacy-Preserving Distributed Stream Monitoring

Continuous monitoring of distributed data streams is a difficult challenge in privacy research, since with any new information exchange, the cost in privacy accumulates. In this paper, we study the relationship between communication efficiency and privacy loss, and present a general framework that enables monitoring arbitrary functions over statistics derived from distributed data streams in a privacy-preserving way.

Arik Friedman; Izchak Sharfman; Daniel Keren; Assaf Schuster

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network

We present a memory-based denial-of-service (DoS) attack that exploits Tor’s flow control algorithm to remotely kill a Tor relay’s process. We show how the attack may be used to deanonymize hidden services while presenting defenses that provably render the attack ineffective and protect hidden services against DoS attacks in general.

Rob Jansen; Florian Tschorsch; Aaron Johnson; Björn Scheuermann

Selling off User Privacy at Auction

This paper studies how personal data is exchanged by advertising companies via Real Time Bidding (RTB) and Cookie Matching. We show that a large proportion of users’ web histories leaks to 3rd-party companies through RTB, and that users’ browsing history elements are routinely being sold off for less than $0.0005.

Claude Castelluccia; Lukasz Olejnik; Minh-Dung Tran

Session 6:  Authentication and Identity I

Session Chair: Apu Kapadia

The Tangled Web of Password Reuse

We investigate how an attacker can leverage leaked passwords from one site to more easily guess passwords at other sites. Our study found 42-51% of the users reusing the same password across multiple sites. We further identify few transformation rules that users employ to modify a basic password between sites which can be exploited by an attacker to make password guessing vastly easier.

Anupam Das; Joseph Bonneau; Matthew Caesar; Nikita Borosiv; Xiaofeng wang

On Semantic Patterns of Passwords and their Security Impact

We present the first framework for segmentation, semantic classification and generalization of passwords and demonstrate how probabilistic grammars encoding the semantics of password samples can lead to better cracking results than the state-of-the-art method. In sessions of 3 billion guesses, we guess approximately 67% more passwords from the LinkedIn leak and 32% more passwords from the MySpace leak.

Rafael Veras; Christopher Collins; Julie Thorpe

From Very Weak to Very Strong: Analyzing Password-Strength Meters

We analyze password-strength meters from 11 highly popular web services by reverse-engineering their functionality, and testing them against nearly 4 million passwords from common dictionaries. Our results provide prominent characteristics of these meters, and show severe inconsistencies in strength outcomes that may confuse users in choosing a stronger password.

Xavier de Carné de Carnavalet; Mohammad Mannan

Session 7:  Crypto I

Session Chair: Srdjan Capkun

Copker: Computing with Private Keys without RAM

We present Copker, the first work that exploits on-chip cache to implement the RSA cryptosystem entirely within CPU. Copker protects private keys from attackers who have physical access to the machine (e.g., cold-boot attacks). The large size of cache allows memory-intensive algorithms, such as CRT-enabled RSA, to be implemented without RAM.

Le Guan; Jingqiang Lin; Bo Luo; Jiwu Jing

Practical Dynamic Searchable Encryption with Small Leakage

We construct an encrypted search index data structure capable of searching large datasets in microseconds. It only reveals the results of the search queries and preserves the privacy of the remaining data. Unlike prior work, we handle efficiently searching dynamically changing data while simultaneously maintaining strong privacy guarantees.

Emil Stefanov; Charalampos Papamanthou; Elaine Shi

Decentralized Anonymous Credentials

We propose a novel anonymous credential scheme that eliminates the need for trusted credential issuers. Our approach builds on recent results in distributed anonymous e-cash and uses techniques — such as the calculation of a distributed transaction ledger — that are currently in widespread deployment in the Bitcoin payment system.

Christina Garman; Matthew Green; Ian Miers

Dynamic Searchable Encryption in Very-Large Databases: Data Structures and Implementation

This paper give constructions of symmetric searchable encryption with scalable performance, enabling private searching on server-held encrypted databases with tens of billions of record/keyword pairs.  Our constructions are asymptotically optimal in several respects including index size and full parallelism during searching, and also demonstrate practical efficiency in our implementation.

David Cash; Joseph Jaeger; Stanislaw Jarecki; Charanjit Jutla; Hugo Krawczyk; Marcel Rosu; Michael Steiner

Session 8:  Authentication and Identity II

Session Chair: Michael Bailey

Authentication Using Pulse-Response Biometrics

We propose a new biometric based on the human body’s response to a square pulse signal. We explore how this biometric can be used to provide secure authentication, and using a prototype setup, we show that users can be correctly identified in a matter of seconds.

Kasper B. Rasmussen; Marc Roeschlin; Ivan Martinovic; Gene Tsudik

Hardening Persona – Improving Federated Web Login

Federated login protocols for the Web are intended to increase user security by reducing the use of passwords, however these protocols can be vulnerable to recent attacks against TLS that aim to steal bearer tokens.  This paper presents two variants of the popular Persona federated login protocol that are hardened against these types of TLS attacks.

Michael Dietz; Dan S. Wallach

Two-Factor Authentication Resilient to Server Compromise Using Mix-Bandwidth Devices

We present novel Two-Factor Authentication (TFA) protocols with improved resistance against online and offline attacks. We show that our TFA protocols can utilize various device-terminal channels, involving PIN entry, QR codes, or wireless communication, and we demonstrate the security, usability and deployability advantages of the resulting TFA schemes over known TFA schemes.

Maliheh Shirvanian; Stanislaw Jarecki; Nitesh Saxena; Naveen Nathan

Leveraging USB to Establish Host Identity Using Commodity Devices

Determining a computer’s identity is critically important, but even hosts with trusted computing hardware can be defeated by relay and impersonation attacks.  Through observing USB stack timing characteristics, we leverage Android devices and machine learning techniques to detect virtualized environments, and uniquely fingerprint hosts amidst fields of identically specified machines.

Adam Bates; Ryan Leonard; Hannah Pruse; Kevin Butler; Daniel Lowd

Session 9:  New Applications, Attacks, and Security Economics

Session Chair: Wenyuan Xu

PlaceAvoider: Steering First-Person Cameras away from Sensitive Spaces

Wearable camera products (Glass, Autographer, and Narrative among others) will inevitably collect images in sensitive spaces. We introduce PlaceAvoider, a technique to identify the fine-grained location of photo content to inform access policies. PlaceAvoider performs image analysis with local and global features along with a temporal analysis for photo streams.

Robert Templeman; Mohammed Korayem; David Crandall; Apu Kapadia

Auditable Version Control Systems

We introduce Auditable Version Control Systems (AVCS), which are VCS systems designed to function under an adversarial setting. We propose an AVCS scheme for skip delta-based VCS systems, which takes a pragmatic approach and is designed for real-world VCS systems. Our prototype built on top of Apache Subversion (SVN) shows a modest decrease in performance compared to a regular (non-secure) SVN system.

Bo Chen; Reza Curtmola

Power Attack: An Increasing Threat to Data Centers

Power oversubscription is becoming a trend for data centers to host more servers. However,  it also leaves data centers vulnerable to malicious workload that could cause power outages. This paper demonstrates that this new power risk is a real threat under three cloud service models and provides guidance on effective mitigation.

Zhang Xu; Haining Wang; Zichen Xu; Xiaorui Wang

Scambaiter: Understanding Targeted Nigerian Scams on Craigslist

To improve our understanding of Nigerian scammers’ tactics, we collect three months of data using our automated scambaiter system which posts honeypot ads on Craigslist and interacts with scammers. This paper presents the methods and prevalence of scammers along with linking a large number of scams to ten groups located in Nigeria.

Youngsam Park; Jackie Jones; Damon McCoy; Elaine Shi; Markus Jakobsson

Botcoin: Monetizing Stolen Cycles

Botmasters have experimented with many different mechanisms for monetizing compromised user PCs over the years. The past 18 months, however, have seen the rise of a particularly direct method: printing money—Bitcoin, to be exact.  This paper presents the first large-scale study of the methods, prevalence, and effectiveness of Bitcoin-mining botnets.

Danny Yuxing Huang; Hitesh Dharmdasani; Sarah Meiklejohn; Vacha Dave; Chris Grier; Damon McCoy; Stefan Savage; Alex C. Snoeren; Nicholas Weaver; Kirill Levchenko

Session 10:  Security of Mobile Devices II

Session Chair: Engin Kirda

A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks

In this paper we propose SUSI, a novel machine-learning guided approach for identifying and categorizing previously unknown privacy-sensitive sources and sinks directly from the code of any Android API (e.g., Android 4.3 or GoogleGlass). Our results improve both static and dynamic analysis tools in detecting malicious information flows more completely.

Steven Arzt; Siegfried Rasthofer; Eric Bodden

AirBag: Boosting Smartphone Resistance to Malware Infection

We present AirBag, a lightweight OS-level virtualization approach to enhance the popular Android platform and boost its defense capability against mobile malware infection. Assuming a trusted smartphone OS kernel, AirBag is designed to isolate and prevent malicious apps from infecting our normal systems or leaking private information.

Chiachih Wu; Yajin Zhou; Kunal Patel; Zhenkai Liang; Xuxian Jiang

SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps

Many Android apps use SSL/TLS to transmit sensitive information securely. However, developers can override the standard SSL/TLS certificate validation process, introducing vulnerabilities. In this paper, we present SMV-Hunter, a system for the automatic, large-scale identification of such vulnerabilities combining static and dynamic analysis, and evaluate it on 23,418 apps.

David Sounthiraraj; Justin Sahs; Zhiqiang Lin; Latifur Khan; Garrett Greenwood

AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications

Component hijacking is a class of Android application vulnerabilities, which can be exploited to exfiltrate sensitive information and compromise data integrity. We propose a technique for automatic patch generation. Given a vulnerable app and a discovered component hijacking vulnerability, we automatically generate a patch to disable this vulnerability.

Mu Zhang; Heng Yin

Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications

Android allows applications to load additional code from external sources at runtime. We demonstrate that this introduces vulnerabilities in a considerable number of benign applications, while it allows malware to evade offline analysis systems, such as the Google Bouncer. Finally, we propose a modification to Android to counter this threat.

Sebastian Poeplau; Yanick Fratantonio; Antonio Bianchi; Christopher Kruegel; Giovanni Vigna

Session 11:  Malware

Session Chair: Davide Balzarotti

Nazca: Detecting Malware Distribution in Large-Scale Networks

In this paper, we look at the collective network traffic produced by thousands of clients, and we detect malware downloads without analyzing the downloaded programs. Instead, we study patterns that become apparent only when leaving the myopic view of individual downloads, by observing malware distribution infrastructures as  sophisticated and blacklist-resilient content distribution networks.

Luca Invernizzi; Stanislav Miskovic; Ruben Torres; Sabyasachi Saha; SJ Lee; Marco Mellia; Christopher Kruegel; Giovanni Vigna

Persistent Data-only Malware: Function Hooks without Code

In this paper, we show that persistent data-only malware is not only possible, but also a realistic threat. To demonstrate this, we state the requirements of persistent data-only malware, discuss the challenges associated with its creation, and show how these challenges can be solved in practice.

Sebastian Vogl; Jonas Pfoh; Thomas Kittel; Claudia Eckert

DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket

We propose Drebin, a lightweight method for detection of Android malware that operates directly on the smartphone. Drebin performs a broad static analysis of Android applications and automatically identifies typical patterns of malicious activities that can be presented to the user. Empirically, Drebin outperforms related approaches and enables detecting 94% of the malware in a large dataset with few false alarms.

Daniel Arp; Michael Spreitzenbarth; Malte Hübner; Hugo Gascon; Konrad Rieck

Gyrus: A Framework for User-Intent Monitoring of Text-based Networked Applications

We propose a security system called Gyrus that guarantees a system’s network-behavior is consistent with user-intent. Gyrus captures user intent from what is displayed on screen, and enforces the “What-You-See is What-You-Send” policy. Gyrus can be applied to various everyday applications (e.g., e-mail, online banking) with negligible delay to users’ interaction.

Yeongjin Jang; Simon P. Chung; Bryan D. Payne; Wenke Lee

Neural Signatures of User-Centered Security: An fMRI Study of Phishing, and Malware Warnings

We introduce a neuroscience-based methodology to investigate user-centered security. We present an fMRI study measuring users’ security performance and neural activity while detecting phishing websites, and heeding malware warnings. We identify the neural-markers likely governing users’ security performance, and establish relationships between brain activity, personality traits and behavioral performance, and discuss broader implications.

Ajaya Neupane; Nitesh Saxena; Keya Kuruvilla; Michael Georgescu; Rajesh Kana

Session 12:  Crypto II

Session Chair: Lujo Bauer

Web PKI: Closing the Gap between Guidelines and Practices

Recent instances of mis-issued certificates have raised concerns about certification authorities. We propose a PKI monitoring framework to classify certificates based on their issuance template and evaluate adherence to the CA/Browser Forum requirements. We run our analysis on a large sample of recently issued certificates.

Antoine Delignat-Lavaud; Martín Abadi; Andrew Birrell; Ilya Mironov; Ted Wobber; Yinglian Xie

Efficient Private File Retrieval by Combining ORAM and PIR

Traditionally, there have been two cryptographic techniques for hiding a client’s access pattern from an untrusted server: Private Information Retrieval, which involves expensive computation, and Oblivious RAM, which requires significant communication overhead.  We present a hybrid system, using ideas from both, which overcomes the individual weaknesses of each to obtain significantly increased efficiency.

Travis Mayberry; Erik-Oliver Blass; Agnes Hui Chan

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

In contrast to cryptography, physical layer security lacks sound attack methodologies. For the latter domain, we develop the equivalence to known-plaintext attacks. To evaluate the attack’s efficacy in theory and practice, we apply our attack and break orthogonal blinding, a scheme to increase the confidentiality of wireless communications.

Matthias Schulz; Adrian Loch; Matthias Hollick

Practical Issues with TLS Client Certificate Authentication

TLS client certificate authentication has significant security advantages over HTML form-based password authentication. In this paper we discuss practical security and usability issues related to TLS client certificate authentication. We complement our paper with a measurement study performed in Estonia where TLS client certificate authentication is widely used.

Arnis Parsovs