Wednesday, February 27
7:30 am - 8:30 am | Continental Breakfast
You Can't Do Today's Security With Yesterday's Methods
Joe Sullivan, Chief Security Officer, Facebook
Session Chair: Peng Ning, NC State University
"Creative thinking is not a talent, it is a skill that can be learnt. It empowers people by adding strength to their natural abilities which improves teamwork, productivity and where appropriate profits." -- Edward De Bono
As the manager of teams responsible for product and information security at Facebook, Joe believes deeply in the need for operational security teams to remain creative and push limits and not settle into playing passive defense. Innovation starts with any member of a security team and can inspire not only that team but a whole company to achieve security standards well beyond the "minimum compliance standards" some organizations accept. Joe will give examples of several different ways his team has evolved dramatically in the last year to address the growing security challenges faced by Facebook's unprecedented development around the world, and show how willingness to innovate and take chances and unwillingness to fall back on accepted standards were fundamental to the team's success in each case.
Session 9: Privacy and Anonymity
9:15 am – 10:15 am
Session Chair: Paul Syverson, Naval Research Lab
One (Block) Size Fits All: PIR and SPIR Over Arbitrary-Length Records via Multi-block PIR Queries
We propose a communication-efficient method for users to fetch multiple blocks in Goldberg's information-theoretic private information retrieval (PIR) scheme. Our approach trades off some Byzantine robustness to improve throughput without affecting privacy. We leverage our multi-block queries to construct four symmetric PIR (SPIR) protocols for databases with variable-length records. Three of our protocols support pricing and are therefore well suited to privacy-friendly sales of digital goods.
Ryan Henry, Yizhou Huang and Ian Goldberg
rBridge: User Reputation based Tor Bridge Distribution with Privacy Preservation
A key challenge to the Tor bridge based circumvention system is to distribute bridges to a large scale of users while avoiding bridges falling into the hands of corrupt users. We propose rBridge -- a user reputation system for bridge distribution to limit corrupt users from repeatedly blocking bridges. In addition, we study the privacy preservation problem in bridge distribution and propose a privacy-preserving rBridge scheme.
Qiyan Wang, Zi Lin, Nikita Borisov and Nicholas J. Hopper
An Empirical Evaluation of Relay Selection in Tor
We develop large network graphs that capture the live Tor network's autonomous system boundaries, points-of-presence, inter-relay latencies and relay performance characteristics. Using our network models, we evaluate a series of proposed relay selection strategies under various network conditions. We additionally quantify the anonymity properties of each approach using simulations driven by data from the live Tor network.
Christopher Wacek, Henry Tan, Kevin Bauer and Micah Sherr
Session 10: Anonymity, Authentication and Attacks
10:35 am - 12:15 pm
Session Chair: Xiaofeng Wang, Indiana University
LIRA: Lightweight Incentivized Routing for Anonymity
A lack of incentives for volunteers to contribute resources to Tor has lead to performance and scalability problems while hindering user anonymity. We introduce LIRA, a scheme that uses proportional differentiation to produce performance incentives for contributors and a novel cryptographic lottery scheme that is more efficient and provides better anonymity than previous Tor incentive proposals.
Rob Jansen, Aaron Johnson and Paul Syverson
KinWrite: Handwriting-Based Authentication Using Kinect
We propose a user-friendly authentication system (KinWrite) that lets users write their passwords in 3D space and captures the handwriting movement using a low cost motion input sensing device -- Kinect. Because of the built-in behavioral biometrics in handwriting, KinWrite allows users to choose short and easy-to-memorize passwords while providing resistance to password cracking.
Jing Tian, Chengzhang Qu, Wenyuan Xu and Song Wang
Tailing RFID Tags for Clone Detection
We propose a new approach to detection of counterfeit tags and goods in RFID-enabled supply chains. Called tailing, our approach involves periodic insertion of random data into tags, creating a kind of "synthetic pedigree." We show in supply-chain simulations how our approach enables a verifier to detect bogus tags even when hindered by partial visibility.
Davide Zanetti, Srdjan Capkun and Ari Juels
One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography
Often a cryptographic standard offers a choice between several algorithms to perform the same cryptographic task, including secure state-of-the-art cryptosystems, as well as insecure legacy cryptosystems with known vulnerabilities that are made available for backwards compatibility reasons. Obviously using insecure legacy cryptosystems is dangerous. However, we show the less obvious fact that even if users have the best of intentions to use only the most up-to-date, vulnerability-free version of a system, the mere existence of support for old versions can have a catastrophic effect on security.
Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky
Does counting still count? Revisiting the Security of Counting based User Authentication Protocols against Statistical Attacks
At NDSS 2012, Yan et al. proposed a generic statistical attack on counting-based authentication protocols. However, they did not give details of any fixes against this attack barring a few suggestions. We generalize this attack with a much more comprehensive theoretical analysis, and propose two fixes to make counting-based protocols practically safe against the attack at the cost of usability.
Hassan Jameel Asghar, Shujun Li, Ron Steinfeld and Josef Pieprzyk
12:15 pm – 1:40 pm | Lunch
Session 11: Distributed Systems Security
1:40 pm – 3:20 pm
Session Chair: Heng Yin, Syracuse University
Toward Online Verification of Client Behavior in Distributed Applications
We present a new technique by which a server can verify the consistency of a client's behavior with the sanctioned client software, even though the server does not know inputs local to the client that are driving its behavior. Our approach improves upon previous approaches in precision, bandwidth consumption, and/or computational expense.
Robert A. Cochran and Michael K. Reiter
Clear and Present Data: Opaque Traffic and its Security Implications for the Future
Opaque, i.e., compressed or encrypted, traffic incurs high overhead for DPI engines yet often yields little useful information. Our experiments indicate that 89% of payload-carrying TCP packets are opaque. We provide a first step toward addressing the challenges presented by the abundance of opaque traffic by introducing new techniques for accurate real-time filtering of opaque packets in 16 bytes or less.
A.M. White, S. Krishnan, M. Bailey, F. Monrose, P. Porras
Verito: A Practical System for Transparency and Accountability in Virtual Economies
We propose Verito, a practical solution that provides transparency and accountability for purchase of virtual goods and services online platforms like Facebook, Xbox and IOS. Consumer interests, including transparency, fairness, non-repudiation, and performance issues, are protected through the use of a novel combination of cryptographic solutions, without the need to rely solely on platform providers or regulation.
Raghav Bhaskar, Saikat Guha, Srivatsan Laxman, and Prasad Naldurg
Secure Computation on Floating Point Numbers
This work proposes the first feasible solutions for secure multi-party computation with real numbers in floating point representation. It also provides techniques for performing more complex operations such as square root, logarithm, and exponentiation. Our experiments show that not only are the proposed protocols efficient, but in certain cases they outperform operations on integers.
Mehrdad Aliasgari, Marina Blanton, Yihua Zhang and Aaron Steele
Analyzing Unique-Bid Auction Sites for Fun and Profit
Unique-Bid auction sites have gained popularity on the Internet in recent years. Using data extracted from such a site, we constructed an agent-based model simulating users’ bidding behaviors. We designed several automated winning strategies that performed well in the simulated environment. Finally, we demonstrated one strategy against a commercial auction site, achieving a 91% win rate and over 1000GBP profit.
Ory Samorodnitzky, Eran Tromer and Avishai Wool
Session 12: Network Security II
3:40 pm – 5:00 pm
Session Chair: Ehab Al-Shaer, UNC Charlotte
Fix Me Up: Repairing Access-Control Bugs in Web Applications
Access-control policies in Web applications ensure that only authorized users can navigate to privileged pages, access databases, and perform other sensitive operations. Unfortunately, errors in access-control logic are very common. We present FixMeUp, a new static analysis tool that finds access-control bugs in PHP applications and generates repairs.
Sooel Son, Kathryn S. McKinley and Vitaly Shmatikov
Automatically Inferring the Evolution of Malicious Activity on the Internet
Malicious activity (spam, scans, botnets) arises from virtually anywhere on the Internet and frequently shifts longitudinally over time. We develop the first algorithmic techniques to automatically infer regions of the Internet with shifting security characteristics in an online fashion. Our evaluations on real network data highlight some regions (some small ISPs and hosting providers) are prone to much faster changes than others.
Shobha Venkataraman, David Brumley, Subhabrata Sen and Oliver Spatscheck
Detection of Malicious PDF Files Based on Hierarchical Document Structure
In this paper, we propose an efficient static method for detection of malicious PDF documents which relies on essential differences in the structural properties of malicious and benign PDF files. We demonstrate its effectiveness on a data corpus containing about 600,000 real-world malicious and benign PDF files and evaluate its resistance against adversarial evasion attempts.
Nedim Šrndić and Pavel Laskov
Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web
This work presents the design, implementation, and deployment of a network of 500 fully functional vulnerable websites aimed at studying what attackers do after they compromise a web application. Over 100 days of experiments, our system was able to collect and cluster 6,000 attacks containing over 85,000 files. This allowed us to draw a general picture of the web application attack landscape.
Davide Canali and Davide Balzarotti
5:00 pm | Closing Remarks and Final Prize Drawing