You are here

Papers and Presentations

The NDSS 2013 programme will begin with registration on Sunday evening, 24 February, followed by invited talks and research presentations Monday through Wednesday, 25-27 February. The Symposium is scheduled to end at 5:00 pm on Wednesday. Registration includes admission to sessions, Proceedings, and all the meals and events listed in the Symposium schedule, including the dinner cruise on Mission Bay.

Jump to Tuesday | Wednesday

Monday, 25 February

07:30-08:30 - Continental Breakfast

08:30-08:50 - Opening Remarks

General Chair's Message

It is my pleasure to welcome you all back to the beautiful Catamaran Resort Hotel and Spa on Mission Bay in San Diego for the Internet Society's Network and Distributed System Security Symposium (NDSS'13). This year’s meeting is a milestone for us and we thank you for helping us celebrate the Twentieth Anniversary of what started out as the "PSRG Workshop on Network and Distributed System Security."

Program Chair's Message

It is my great pleasure to welcome you to the 20th Annual Network & Distributed System Security Symposium (NDSS 2013) held in Catamaran Resort Hotel and Spa, San Diego, CA, United States, February 24-27, 2013. NDSS fosters information exchange among researchers and practitioners of network and distributed system security.

08:50-09:35 Keynote:
20 Years of Network and Distributed Systems Security: The Good, the Bad, and the Ugly

09:35-10:15 - Session 1: Authentication

I can be You: Questioning the use of Keystroke Dynamics as Biometrics

Keystroke dynamics refer to information about the typing patterns of individuals, such as the relative timing when the individual presses and releases each key. Prior studies suggest that such patterns are unique and cannot be easily imitated. This lays the foundation for the use of keystroke biometrics in authentication systems. The research effort in this area has thus far focused on novel detection techniques to differentiate between legitimate users and imposters.

A Practical, Targeted, and Stealthy Attack Against WPA Enterprise Authentication

Wireless networking technologies have fundamentally changed the way we compute, allowing ubiquitous, anytime, any-where access to information. At the same time, wireless technologies come with the security cost that adversaries may receive signals and engage in unauthorized communication even when not physically close to a network. Because of the utmost importance of wireless security, many standards have been developed that are in wide use to secure sensitive wireless networks; one such popular standard is WPA Enterprise.

10:15-10:35 – Break

10:35-12:15 - Session 2: Mobile Security

Unobservable Re-authentication for Smartphones

The widespread usage of smartphones gives rise to new security and privacy concerns. Smartphones are becoming a personal entrance to networks, and may store private information. Due to its small size, a smartphone could be easily taken away and used by an attacker. Using a victim’s smartphone, the attacker can launch an impersonation attack, which threatens the security of current networks, especially online social networks.

PlaceRaider: Virtual Theft in Physical Spaces with Smartphones

Each new generation of smartphone features increasingly powerful onboard sensor suites. A new strain of ‘sensory malware’ has been developing that leverages these sensors to steal information from the physical environment — e.g., researchers have recently demonstrated how malware can ‘listen’ for spoken credit card numbers through the microphone, or ‘feel’ keystroke vibrations using the accelerometer. Yet the possibilities of what malware can ‘see’ through a camera have been understudied.

Detecting Passive Content Leaks and Pollution in Android Applications

In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages).

Security Enhanced (SE) Android: Bringing Flexible MAC to Android

The Android software stack for mobile devices defines and enforces its own security model for apps through its application-layer permissions model. However, at its foundation, Android relies upon the Linux kernel to protect the system from malicious or flawed apps and to isolate apps from one another. At present, Android leverages Linux discretionary access control (DAC) to enforce these guarantees, despite the known shortcomings of DAC.

The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers

Much of the attention surrounding mobile malware has focused on the in-depth analysis of malicious applications. While bringing the community valuable information about the methods used and data targeted by malware writers, such work has not yet been able to quantify the prevalence with which mobile devices are actually infected. In this paper, we present the first such attempt through a study of the hosting infrastructure used by mobile applications.

12:15-14:00 - Lunch

14:00-15:40 - Session 3: Systems and Software Security

High Accuracy Attack Provenance via Binary-based Execution Partition

An important aspect of cyber attack forensics is to understand the provenance of suspicious events, as it discloses the root cause and ramifications of cyber attacks. Traditionally, this is done by analyzing audit log. However, the presence of long running programs makes a live process receiving a large volume of inputs and produce many outputs and each output may be causally related to all the preceding inputs, leading to dependence explosion and making attack investigations almost infeasible.

Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring

The economy of mechanism security principle states that program design should be kept as small and simple as possible. In practice, this principle is often disregarded to maximize user satisfaction, resulting in systems supporting a vast number of features by default, which in turn offers attackers a large code base to exploit. The Linux kernel exemplifies this problem: distributors include a large number of features, such as support for exotic filesystems and socket types, and attackers often take advantage of those.

Taming Hosted Hypervisors with (Mostly) Deprivileged Execution

Recent years have witnessed increased adoption of hosted hypervisors in virtualized computer systems. By non-intrusively extending commodity OSs, hosted hypervisors can effectively take advantage of a variety of mature and stable features as well as the existing broad user base of commodity OSs. However, virtualizing a computer system is still a rather complex task.

When Firmware Modifications Attack: A Case Study of Embedded Exploitation

The ability to update firmware is a feature that is found in nearly all modern embedded systems. We demonstrate how this feature can be exploited to allow attackers to inject malicious firmware modifications into vulnerable embedded devices. We discuss techniques for exploiting such vulnerable functionality and the implementation of a proof of concept printer malware capable of network reconnaissance, data exfiltration and propagation to general purpose computers and other embedded device types.

CAMP: Content-Agnostic Malware Protection

In spite of recent advances, the world wide web remains an important vector for malware installation. Approaches to evaluating potentially malicious code before execution in a browser, such as blacklisting or content-based detection are hindered by an attacker’s ability to easily change hosting domains or mutate malware binaries. On the other hand, whitelist-based approaches are challenged by the large, dynamic, and heterogenous space of benign binaries that they must track.

15:40-16:00 – Break

16:00-17:40 - Session 4: Web Security

InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations

A web application today often utilizes web APIs to incorporate third-party services into its functionality. Such API integration, however, is full of security perils: recent studies show that popular web sites using high-profile web services, such as PayPal/Amazon checkouts and Facebook/Google single sign-on (SSO) services, are riddled with logic flaws, enabling a malicious party to shop for free or log into a victim’s account.

Preventing Side-Channel Leaks in Web Traffic: A Formal Approach

Internet traffic is exposed to potential eavesdroppers. Standard encryption mechanisms do not provide sufficient protection: Features such as packet sizes and numbers remain visible, opening the door to so-called side-channel attacks against web traffic.

NEIGHBORWATCHER: A Content-Agnostic Comment Spam Inference System

Comment spam has become a popular means for spam- mers to attract direct visits to target websites, or to manip- ulate search ranks of the target websites. Through posting a small number of spam messages on each victim website (e.g., normal websites such as forums, wikis, guestbooks, and blogs, which we term as spam harbors in this paper) but spamming on a large variety of harbors, spammers can not only directly inherit some reputations from these harbors but also avoid content-based detection systems deployed on these harbors.

AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations

Ideally, security protocol implementations should be formally verified before they are deployed. However, this is not true in practice. Numerous high-profile vulnerabilities have been found in web authentication protocol implementations, especially in single-sign on (SSO) protocols implementations recently.

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites

The postMessage mechanism in HTML5 enables Web content from different origins to communicate with each other, thus relaxing the same origin policy. It is especially popular in websites that include third-party content. Each message contains accurate information about its origin, but the receiver must check this information before accepting the message.

19:00-21:00 - Dinner

Tuesday, 26 February

07:30-08:30 - Continental Breakfast

08:30-09:15 - Keynote:
Laying a Secure Foundation for Mobile Devices

09:15-10:15 - Session 5: Social Networks and Application Security

Pisces: Anonymous Communication Using Social Networks

The architectures of deployed anonymity systems such as Tor suffer from two key problems that limit user’s trust in these systems. First, paths for anonymous communication are built without considering trust relationships between users and relays in the system. Second, the network architecture relies on a set of centralized servers. In this paper, we propose Pisces, a decentralized protocol for anonymous communications that leverages users’ social links to build circuits for onion routing.

Preserving Link Privacy in Social Network Based Systems

A growing body of research leverages social network based trust relationships to improve the functionality of the system. However, these systems expose users’ trust relationships, which is considered sensitive information in today’s society, to an adversary.

COMPA: Detecting Compromised Accounts on Social Networks

As social networking sites have risen in popularity, cyber-criminals started to exploit these sites to spread mal- ware and to carry out scams. Previous work has extensively studied the use of fake (Sybil) accounts that attackers set up to distribute spam messages (mostly messages that contain links to scam pages or drive-by download sites). Fake accounts typically exhibit highly anomalous behavior, and hence, are relatively easy to detect.

10:15-10:35 – Break

10:35-12:15 - Session 6: Mobile and Wireless Security and Privacy

Social Turing Tests: Crowdsourcing Sybil Detection

As popular tools for spreading spam and malware, Sybils (or fake accounts) pose a serious threat to online communities such as Online Social Networks (OSNs). Today, sophisticated attackers are creating realistic Sybils that effectively befriend legitimate users, rendering most automated Sybil detection techniques ineffective. In this paper, we explore the feasibility of a crowdsourced Sybil detection system for OSNs.

Comparing Mobile Privacy Protection through Cross-Platform Applications

With the rapid growth of the mobile market, security of mobile platforms is receiving increasing attention from both research community as well as the public. In this paper, we make the first attempt to establish a baseline for security comparison between the two most popular mobile platforms. We investigate applications that run on both Android and iOS and examine the difference in the usage of their security sensitive APIs (SS-APIs).

On Implementing Deniable Storage Encryption for Mobile Devices

Data confidentiality can be effectively preserved through encryption. In certain situations, this is inadequate, as users may be coerced into disclosing their decryption keys. In this case, the data must be hidden so that its very existence can be denied. Steganographic techniques and deniable encryption algorithms have been devised to address this specific problem.

Contextual Policy Enforcement in Android Applications with Permission Event Graphs

The difference between a malicious and a benign Android application can often be characterised by context and sequence in which certain permissions and APIs are used. We present a new technique for checking temporal properties of the interaction between an application and the Android event system.

Low-cost Standard Signatures in Wireless Sensor Networks: A Case for Reviving Pre-computation Techniques?

Effective pre-computation techniques have been proposed almost 15 years ago for trimming the cost of modular exponentiations at the basis of several standard signature and key management schemes, such as the (Elliptic Curve) Digital Signature Algorithm or Diffie-Hellman key exchange. Despite their promises, the actual application of such techniques in the wireless sensor security arena has been apparently overlooked, and most of the research effort has rather focused on the identification of alternative lightweight constructions.

12:15-14:00 - Lunch

14:00-15:40 - Session 7: Network Security I

Clickonomics: Determining the Effect of Anti-Piracy Measures for One-Click Hosting

Piracy is a mass phenomenon on the Internet today. Various file sharing platforms offer free access to unauthorised copies of copyrighted works such as media content and software. Copyright holders are using a range of legal and technical methods to protect their rights, and they are lobbying for legislation that would give them additional ways of enforcing their copyright online.

FRESCO: Modular Composable Security Services for Software-Defined Networks

OpenFlow is an open standard that has gained tremendous interest in the last few years within the network community. It is an embodiment of the software-defined networking paradigm, in which higher-level flow routing decisions are derived from a control layer that, unlike classic network switch implementations, is separated from the data handling layer.

Intention and Origination: An Inside Look at Large-Scale Bot Queries

Modern attackers increasingly exploit search engines as a vehicle to identify vulnerabilities and to gather information for launching new attacks. In this paper, we perform a large-scale quantitative analysis on bot queries received by the Bing search engine over month-long periods. Our analysis is based on an automated system, called SBotScope, that we develop to dissect large-scale bot queries.

Juice: A Longitudinal Study of an SEO Botnet

Black hat search engine optimization (SEO) campaigns attract and monetize traffic using abusive schemes. Using a combination of Web site compromise, keyword stuffing and cloaking, a SEO botnet operator can manipulate search engine rankings for key search terms, ultimately directing users to sites promoting some kind of scam (e.g., fake anti-virus).

I want my voice to be heard: IP over Voice-over-IP for unobservable censorship circumvention

Open communication over the Internet poses a serious threat to countries with repressive regimes, leading them to develop and deploy censorship mechanisms within their networks. Unfortunately, existing censorship circumvention systems face difficulties in providing unobservable communication with their clients; this highly limits their availability as censors can easily block access to circumvention systems that make observable communication patterns.

15:40-16:00 – Break

16:00-17:40 - Session 8: Short Talks

OIRS: Outsourced Image Recovery Service From Comprehensive Sensing With Privacy Assurance

How Privacy Leaks From Bluetooth Mouse?

Practical Timing Side Channel Attacks Against Kernel Space ASLR

Updates from the Internet Backbone

Metrics for Automated Network Security Design

Automatic Protocol Selection in Secure Two-Party Computations

Assessing software integrity of virtual appliances through software whitelists

Privacy-Enhancing Technologies for Medical Tests Using Genomic Data

ObliviStore: High Performance Oblivious Distributed Cloud Data Store

A Non-interactive Dual-channel Authentication Protocol for Assuring Pseudo-confidentiality

Macroeconomic Analysis of Malware

TransBlocker: Transforming and Taming Privacy-Breaching Android Applications

19:00-21:00 - Dinner

Wednesday, 27 February

07:30-08:30 - Continental Breakfast

08:30-09:15 - Keynote:
You Can't Do Today's Security With Yesterday's Methods

09:15-10:15 - Session 9: Privacy and Anonymity

One (Block) Size Fits All: PIR and SPIR with Variable-Length Records via Multi-Block Queries

We propose a new, communication-efficient way for users to fetch multiple blocks simultaneously in Goldberg’s robust information-theoretic private information retrieval (IT-PIR) scheme. Our new multi-block IT-PIR trades off some Byzantine robustness to improve throughput without affecting user privacy.

rBridge: User Reputation based Tor Bridge Distribution with Privacy Preservation

Tor is one of the most popular censorship circumvention systems; it uses bridges run by volunteers as proxies to evade censorship. A key challenge to the Tor circumvention system is to distribute bridges to a large number of users while avoiding having the bridges fall into the hands of corrupt users.

An Empirical Evaluation of Relay Selection in Tor

While Tor is the most popular low-latency anonymity network in use today, Tor suffers from a variety of performance problems that continue to inhibit its wide scale adoption. One reason why Tor is slow is due to the manner in which clients select Tor relays.

10:15-10:35 – Break

10:35-12:15 - Session 10: Anonymity, Authentication and Attacks

LIRA: Lightweight Incentivized Routing for Anonymity

Tor, the most popular deployed distributed onion routing network, suffers from performance and scalability problems stemming from a lack of incentives for volunteers to contribute. Insufficient capacity limits scalability and harms the anonymity of its users. We introduce LIRA, a lightweight scheme that creates performance incentives for users to contribute bandwidth resources to the Tor network.

KinWrite: Handwriting-Based Authentication Using Kinect

Password-based authentication is easy to use but its security is bounded by how much a user can remember. Biometrics-based authentication requires no memorization but ‘resetting’ a biometric password may not always be possible.

Tailing RFID Tags for Clone Detection

RFID (Radio-Frequency IDentification) is a key emergng technology for supply-chain monitoring and detection of counterfeit and grey-market goods. The most prevalent RFID tags are, however, simply “wireless barcodes,” themselves vulnerable to cloning and counterfeiting.

One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography

Backwards compatibility attacks are based on the common practical scenario that a cryptographic standard offers a choice between several algorithms to perform the same cryptographic task. This often includes secure state-of-the-art cryptosystems, as well as insecure legacy cryptosystems with known vulnerabilities that are made available for backwards compatibility reasons.

Does Counting Still Count? Revisiting the Security of Counting based User Authentication Protocols against Statistical Attacks

At NDSS 2012, Yan et al. analyzed the security of sev- eral challenge-response type user authentication protocols against passive observers, and proposed a generic counting based statistical attack to recover the secret of some counting based protocols given a number of observed authentication sessions.

12:15-13:40 - Lunch

13:40-15:20 - Session 11: Distributed Systems Security

Toward Online Verification of Client Behavior in Distributed Applications

Existing techniques for a server to verify the correctness of client behavior in a distributed application suffer from imprecision, increased bandwidth consumption, or significant computational expense. We present a novel method for a server to efficiently search for a code path through the client that “explains” each client message, even though the server does not know local inputs to the client that might have caused the message.

Clear and Present Data: Opaque Traffic and its Security Implications for the Future

Opaque traffic, i.e., traffic that is compressed or encrypted, incurs particularly high overhead for deep packet inspection engines and often yields little or no useful information.

Verito: A Practical System for Transparency and Accountability in Virtual Economies

Purchase of virtual goods and services is now a major source of revenue for developers on platforms like Facebook, Xbox, and iOS. These virtual economies are typically based on users maintaining a stored-value account of virtual-currency (purchased with real-currency) with the platform.

Secure Computation on Floating Point Numbers

Secure computation undeniably received a lot of attention in the recent years, with the shift toward cloud computing offering a new incentive for secure computation and outsourcing. Surprisingly little attention, however, has been paid to computation with non-integer data types.

Analyzing Unique-Bid Auction Sites for Fun and Profit

Unique-Bid auction sites are gaining popularity on the Internet in recent years. We have managed to extract dynamic temporal bidding data from such a site, using a back-propagation algorithm for analysis of side signals. This offered us rare insights on actual bidding strategies used by actual bidders, such as bidding-bursts, late-bidding and position-targeted bidding.

15:20-15:40 – Break

15:40-17:00 - Session 12: Network Security II

Fix Me Up: Repairing Access-Control Bugs in Web Applications

Access-control policies in Web applications ensure that only authorized users can perform security-sensitive operations. These policies usually check user credentials before executing actions such as writing to the database or navigating to privileged pages. Typically, every Web application uses its own, hand-crafted program logic to enforce access control.

Automatically Inferring the Evolution of Malicious Activity on the Internet

Internet-based services routinely contend with a range of malicious activity (e.g., spam, scans, botnets) that can potentially arise from virtually any part of the global Internet infrastructure and that can shift longitudinally over time. In this paper, we develop the first algorithmic techniques to automatically infer regions of the Internet with shifting security characteristics in an online fashion.

Detection of Malicious PDF Files Based on Hierarchical Document Structure

Malicious PDF files remain a real threat, in practice, to masses of computer users, even after several high-profile security incidents. In spite of a series of a security patches issued by Adobe and other vendors, many users still have vulnerable client software installed on their computers. The expressiveness of the PDF format, furthermore, enables attackers to evade detection with little effort.

Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web

Web attacks are nowadays one of the major threats on the Internet, and several studies have analyzed them, providing details on how they are performed and how they spread. However, no study seems to have sufficiently analyzed the typical behavior of an attacker after a website has been compromised.

17:00 - Closing Remarks