Tuesday, February 26
7:30 am - 8:30 am | Continental Breakfast
Laying a Secure Foundation for Mobile Devices
8:30 am -- 9:15 am
Stephen Smalley, Trusted Systems Research Group, US National Security Agency (NSA)
Session Chair: Roger Khazan, MIT Lincoln Lab
Modern mobile devices such as smartphones and tablets have become fully general computing systems with a rich third party application ecosystem and user experience. As such, the same security problems that have long plagued the personal computer (PC) industry are becoming increasingly evident on mobile devices. Addressing these threats effectively requires a secure foundation, including both hardware and software mechanisms. Device OEMs and mobile operating system developers have an opportunity to establish such a foundation by providing the right primitives for constructing secure systems and enabling their use in commodity mobile devices. Many of the same security constructs that have been applied in the space of client and server PCs can and should be brought to the mobile arena. In this talk, we lay out a vision for secure mobile computing, including a discussion of the roles that virtualization, trusted computing, and secure operating systems play in an overall security architecture and how these mechanisms can be realized in mobile devices today.
Session 5: Social Networks and Application Security
9:15 am -- 10:15 am
Session Chair: Lujo Bauer, Carnegie Mellon University
Pisces: Anonymous Communication Using Social Networks
We show that social networks can improve user privacy! We present Pisces, a system for anonymous communication that leverages users’ trusted social contacts. Pisces minimizes an attacker's ability to compromise user anonymity by explicitly considering social trust in the design of anonymous paths. Pisces is secure against a colluding byzantine adversary, and provides better anonymity than Tor.
Prateek Mittal, Matthew Wright and Nikita Borisov
Preserving Link Privacy in Social Network based Systems
We show that it is possible to enable the design of social network based systems, while protecting the privacy of users’ social contacts. Our approach is to perturb the social network graph, by removing existing edges and adding fake edges, such that the local community structures in the network are preserved. We characterize utility and privacy of such perturbed graphs.
Prateek Mittal, Charalampos Papamanthou and Dawn Song
COMPA: Detecting Compromised Accounts on Social Networks
COMPA detects compromised, yet legitimate social network accounts by building behavioral profiles for individual accounts and matching new messages against the extracted behavior. Should multiple similar messages violate their users' behavioral profiles, COMPA declares these users as compromised. COMPA demonstrated high precision when evaluated on large-scale real-world datasets (1.4B Twitter, 106M Facebook messages).
Manuel Egele, Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna
Session 6: Mobile and Wireless Security and Privacy
10:35 am -- 12:15 pm
Session Chair: David Molnar, Microsoft Research
Social Turing Tests: Crowdsourcing Sybil Detection
We explore the feasibility of a crowdsourced system using human intuition to detect Sybil (fake accounts) in online social networks. We conduct a large user study using a large corpus of ground-truth from Facebook and Renren, and users from Amazon Turk and Chinese crowdsourcing systems. We find this approach promising and propose a multi-tier detection system that is both scalable and highly accurate.
Gang Wang, Manish Mohanlal, Christo Wilson, Xiao Wang, Miriam Metzger, Haitao Zheng and Ben Y. Zhao
Comparing Mobile Privacy Protection through Cross-Platform Applications
In this paper, we make the first attempt to establish a baseline for the security comparison between iOS and Android. Our analysis over 2,600 cross-platform applications shows that iOS applications consistently access more security sensitive APIs than their counterparts on Android. We then investigate further on both third-party libraries and applications’ own code to reveal the underlying reasons.
Jin Han, Qiang Yan, Debin Gao, Jianying Zhou and Robert Deng
On Implementing Deniable Storage Encryption for Mobile Devices
To enable plausibly deniable encryption on mobile devices, we introduce Mobiflage that hides encrypted volumes within random data on the device's external storage. By providing a decoy key, users can plausibly deny the existence of any hidden data. Our Android prototype includes countermeasures for known weaknesses in desktop PDE systems, and highlights challenges of implementing PDE schemes on mobile systems.
Adam Skillen and Mohammad Mannan
Contextual Policy Enforcement in Android Applications with Permission Event Graphs
Malicious smartphone applications often surreptitiously access sensitive resources or abuse their privileges. We present a new approach for checking and enforcing policies concerning the context and order in which permissions and APIs may be used in an Android application. Our checker constructs Permission Event Graphs, a new, finite-state abstraction of the operating system context in which an application uses a permission. Our experiments show that we can check complex temporal policies with low false positives and false negatives.
Kevin Chen, Noah Johnson, Vijay D'Silva, Shuaifu Dai, Kyle MacNamara, Tom Magrino, Edward Wu, Martin Rinard and Dawn Song
Low-cost Standard Signatures in Wireless Sensor Networks: A Case for Reviving Pre-computation Techniques?
This work describes new pre-computation techniques for cryptographic schemes that exploit recent results on Cayley graph expanders and leverage excess energy generated by micro solar cells and small wind turbines placed on low-power devices. Our improved schemes outperform prior art by as much as 50%.
Giuseppe Ateniese, Giuseppe Bianchi, Angelo Capossele and Chiara Petrioli
12:15 pm – 2:00 pm | Lunch
Session 7: Network Security I
2:00 pm -- 3:40 pm
Session Chair: Davide Balzarotti, EURECOM
Clickonomics: Determining the Effect of Anti-Piracy Measures for One-Click Hosting
This paper reports on a large-scale measurement study about the effects of measures against copyright infringement on One-Click Hosters (or "cyberlockers"). While such efforts are visible, their overall impact appears to be rather limited. The paper also discusses proposed new measures (such as SOPA) and finds that they may not be as successful as their proponents might expect.
Tobias Lauinger, Martin Szydlowski, Kaan Onarlioglu, Gilbert Wondracek, Engin Kirda and Christopher Kruegel
FRESCO: Modular Composable Security Services for Software-Defined Networks
OpenFlow is an open standard that has gained tremendous interest in the last few years. In this paper we introduce FRESCO, an OpenFlow security application development framework designed to facilitate the rapid design, and modular composition of OF-enabled detection and mitigation modules. FRESCO offers a programming framework that enables security researchers to implement, and compose together, many different security modules.
Seungwon Shin, Phil Porras, Vinod Yegneswaran, Martin Fong, Guofei Gu and Mabry Tyson
Intention and Origination: An Inside Look at Large-Scale Bot Queries
Modern attackers increasingly exploit search engines as a vehicle to identify vulnerabilities and to gather information for launching new attacks. In this paper, we perform a large-scale quantitative analysis on bot queries received by the Bing search engine over month-long periods. Our analysis is based on an automated system, called SBotScope, that we develop to dissect large-scale bot queries. Our study shows that 33% of bot are searching for vulnerabilities, followed by 11% harvesting user account information. In one of our 16-day datasets, we uncover 8.2 million hosts from botnets and 13,364 hosts from data centers submitting bot queries.
Junjie Zhang, Yinglian Xie, Fang Yu, David Soukal and Wenke Lee
Juice: A Longitudinal Study of an SEO Campaign
Black hat search engine optimization (SEO) campaigns attempt to attract and monetize traffic. Using Web site compromise and cloaking, SEO botnets can manipulate search result rankings, ultimately directing users to sites promoting scams (e.g. fake antivirus). In this paper, we infiltrate an influential SEO botnet, GR, characterize its dynamics and effectiveness and identify key scams driving its innovation.
David Y. Wang, Stefan Savage and Geoffrey M. Voelker
I want my voice to be heard: IP over Voice-over-IP for Unobservable Censorship Circumvention
We propose an unobservable censorship-resistant infrastructure, called FreeWave. FreeWave works by modulating a client’s Internet traffic into acoustic signals that are carried over VoIP connections. The use of actual VoIP connections, as opposed to traffic mimicking, allows FreeWave to relay its VoIP connections through oblivious VoIP nodes, hence keeping the FreeWave server(s) unobservable and unblockable. We prototype FreeWave over Skype.
Amir Houmansadr, Thomas Riedl, Nikita Borisov and Andrew Singer
Session 8: Short Talks
4:00 pm -- 5:40 pm
Session Chair: Peng Ning, NC State University
The Program Committee selected submissions on a range of topics for treatment as Short Talks. Priority has been given to papers that have fresh, unconventional ideas. Though not selected as full papers, these merit a place on the program.
Cong Wang, Zhen Xu, Kui Ren and Janet Wang
Xian Pan, Zhen Ling, Aniket Pingley, Wei Yu, Kui Ren, Nan Zhang and Xinwen Fu
Ralf Hund, Carsten Willems and Thorsten Holz
Matthias Wählisch, Fabian Holler, Thomas C. Schmidt and Jochen Schiller
Mohammad Rahman and Ehab Al-Shaer
Florian Kerschbaum, Thomas Schneider and Axel Schroepfer
Jun Ho Huh, Mirko Montanari, Derek Dagit, Rakesh Bobba, Dong Wook Kim, Yoonjoo Choi and Roy Campbell
Erman Ayday, Jean Louis Raisaro and Jean-Pierre Hubaux
Emil Stefanov and Elaine Shi
David Irakiza, Md Karim and Vir Phoha
Vaibhav Garg and L. Jean Camp
Mu Zhang and Heng Yin
7:00 pm – 9:00 pm | Buffet Dinner and Rump Session
Session Chair: Will Enck, NC State University