Wednesday, 8 February
07:30-08:30 - Continental Breakfast
08:30-09:50 - Session 10: Host Security
Chair: Xuxian Jiang, North Carolina State University
Discovering Semantic Data of Interest from Un-mappable Memory with Confidence
Zhiqiang Lin, Junghwan Rhee, Chao Wu, Xiangyu Zhang and Dongyan Xu
Memory pages belonging to a terminated process may remain in a system for non-trivial period of time. Discovering semantic information from those memory pages is useful in cyber-forensics. We present a technique called DIMSUM for recognizing data structure instances -- without memory mapping information. Via probabilistic inference, DIMSUM is able to identify semantic data of interest with quantifiable confidence.
SecureSwitch: BIOS-Assisted Isolation and Switch between Trusted and Untrusted Commodity OSes
Kun Sun, Jiang Wang, Fengwei Zhang and Angelos Stavrou
We introduce a novel BIOS-assisted mechanism for secure generation and management of trusted execution environments. Our approach is capable of completely segregating trusted and untrusted operations. The aim is to be user friendly and swiftly switch - it takes approximately 6 seconds - between execution environments running in a physical machine without requiring any specialized hardware, OS, or application modifications.
SMART: Secure and Minimal Architecture for (Establishing Dynamic) Root of Trust
Karim Eldefrawy, Gene Tsudik, Aurélien Francillon and Daniele Perito
We construct a hardware security architecture (called SMART) for efficient and secure establishment of a dynamic root of trust in remote embedded devices. It is geared towards low-end MCUs and requires minimal hardware changes. Its feasibility and practicality are demonstrated on two common MCU platforms: AVR and MSP430.
Kruiser: Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring
Donghai Tian, Qiang Zeng, Dinghao Wu, Peng Liu and Changzhen Hu
This paper presents Kruiser, a concurrent kernel heap buffer overflow monitor. Leveraging the multi-core architectures, Kruiser migrates security enforcement from the kernel's normal execution to a concurrent monitor process, which is protected using contemporary virtualization features. To reduce the synchronization overhead between the monitor process and the running kernel, Kruiser adopts a novel semi-synchronized non-blocking monitoring algorithm.
Break
10:00-10:45 - Keynote: Authentication at Scale
Eric Grosse, Vice President of Security Engineering, Google
Break
11:00-12:20 - Session 11: Web
Chair: Nikita Borisov, University of Illinois at Urbana Champaign
WarningBird: Detecting Suspicious URLs in Twitter Stream
Sangho Lee and Jong Kim
We introduce WarningBird, a real-time suspicious URL detection system for Twitter.To detect cloaked suspicious URLs, we investigate correlated redirect chains of URLs included in a number of tweets.Evaluation results show that our system can accurately and efficiently classify large tweet samples from the Twitter public timeline.
Using replicated execution for a more secure and reliable web browser
Hui Xue, Nathan Dautenhahn and Samuel King
Modern web browsers are complex. Individually, they are all prone to security vulnerabilities and crashes.However, major browsers are distinct implementations that rarely share the same vulnerability. In other words, a single attack rarely succeeds in exploiting all browsers.We propose Cocktail, a system using replicated execution of Firefox, Google Chrome,and Opera to defend against browser attacks and withstand browser crashes.
Host Fingerprinting and Tracking on the Web: Privacy and Security Implications
Ting-Fang Yen, Yinglian Xie, Fang Yu, Roger Peng Yu and Martin Abadi
This paper presents a large-scale study to quantify the amount of information revealed by common host identifiers, based on month-long datasets collected by Hotmail and Bing. It further demonstrates the privacy and security implications of host-tracking in the context of cookie churn analysis and host mobility study, where we uncover previously undetected cookie-forwarding attacks.
Chrome Extensions: Threat Analysis and Countermeasures
Lei Liu, Xinwen Zhang, Guanhua Yan and Songqing Chen
The Chrome browser employs least privileges and privilege separation principles to protect malicious websites from damaging the browser system via extensions. In this work we reveal that Chrome's extension security model is not a panacea for all possible attacks with browser extensions. We demonstrated attack scenarios from malicious browser extensions and proposed a few countermeasures accordingly.
12:20-13:40 - Lunch
13:40-15:00 - Session 12: Networking II
Chair: Yan Chen, Northwestern University
Ghost Domain Names: Revoked Yet Still Resolvable
Jian Jiang, Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu
It is a common belief that one can delete a bad domain from DNS registry to stop related malicious activities. Surprisingly, the deleted domain can still be kept alive worldwide due to an unnoticed vulnerability in DNS. This paper presents the phenomenon of ghost domain names and the mechanism behind.
ShortMAC: Efficient Data-Plane Fault Localization
Xin Zhang, Zongwei Zhou, Hsu-Chun Hsiao, Tiffany Hyun-Jin Kim, Adrian Perrig and Patrick Tague
Data-plane fault localization is a promising means to enhancing network availability. However, existing faultlocalization protocols cannot achieve a practical tradeoff between security and efficiency. In this paper, we propose an efficient fault localization protocol called ShortMAC, which leverages probabilistic packet authentication and achieves 100 - 10000 times lower detection delay and overhead than related work.
Bypassing Space Explosion in Regular Expression Matching for Network Intrusion Detection and Prevention Systems
Jignesh Patel, Alex Liu and Eric Torng
NDSes/NPSes use regular expressions, represented as automata, to detect security threats. Prior automata construction algorithms use a “Union then Minimize'' framework, which leads to extensive memory usage. In this paper, we propose a “Minimize then Union'' framework for constructing compact alternative automata focusing on the DDFA. In our experiments, our algorithm runs up to 302 times faster and uses 1390 times less memory than previous algorithms.
The Case for Prefetching and Prevalidating TLS Server Certificates
Emily Stark, Lin-Shung Huang, Dinesh Israni, Collin Jackson and Dan Boneh
By prefetching and prevalidating server certificates, web browsers can enable TLS handshakes with zero round trips that are up to four times faster than a normal handshake. This proposal improves web security by allowing more time for certificate validation and making it less costly for websites to enable TLS.
Break
15:10-15:50 - Session 13: Distributed Systems
Chair: Adrian Perrig, Carnegie Mellon University
Gatling: Automatic Attack Discovery in Large-Scale Distributed Systems
Hyojeong Lee, Jeff Seibert, Charles Killian and Cristina Nita-Rotaru
We propose Gatling, a framework that automatically finds performance attacks caused by insider attackers in large-scale message-passing distributed systems. In performance attacks, malicious nodes deviate from the protocol with the goal of degrading system performance. We applied Gatling to six systems and found a total of 41 attacks.
Automated Synthesis of Secure Distributed Applications
Michael Backes, Matteo Maffei and Kim Pecina
Designing distributed applications that preserve the privacy of users is a daunting task, which even security experts consider error-prone. We present a solution based on an intuitive, high-level specification language that hides cryptographic and networking details, and a compiler that automatically turns user-provided system specifications into secure executable code.
Break
16:00-17:00 - Session 14: Software
Chair: Dongyan Xu, Purdue University
A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware
Kangkook Jee, Georgios Portokalidis, Vasileios P. Kemerlis, Soumyadeep Ghosh, David I. August and Angelos D. Keromytis
We present and evaluate a novel methodology for improving the performance overhead of dynamic data flow tracking (DDFT) frameworks, by combining static and dynamic analysis. Specifically, we separate the program logic from the corresponding tracking logic, and apply optimization techniques that eliminate redundant tracking and minimize interference with the target program. Our results indicate a DDFT speedup by as much as 2.23x.
Static detection of C++ vtable escape vulnerabilities in binary code
David Dewey and Jon Giffin
The complexities of C++ create new memory safety vulnerabilities not present in simpler software. We present vtable escape bugs, a type confusion error present in real, deployed C++ software, and we show how automated binary code analyses can statically detect the security defects by reconstructing high-level classes and objects.
Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis
Mingwei Zhang, Aravind Prakash, Xiaolei Li, Zhenkai Liang and Heng Yin
Due to the complexity of the victim programs and sophistication of recent exploits, existing diagnosis techniques either miss important attack steps or report too much irrelevant information. As the key steps in memory-corruption exploits often involve pointer misuses, we proposed PointerScope to automatically infer types on binary execution, detect pointer misuses, and then highlight the key steps of the exploit.