You are here

NDSS 2012 - Papers and Presentations

The NDSS 2012 programme will open with registration and a welcome drink on the evening of Sunday 5 February, followed by paper presentations and invited talks from Monday through Wednesday, 6-8 February. The Symposium is scheduled to end at 17:00 on Wednesday.
 
Meals and refreshment breaks will be provided throughout NDSS 2012. An Opening Reception will be held on Monday evening, February 6.

Monday, 6 February

07:30-08:30 - Continental Breakfast

08:30-09:00 - Introductory Remarks

General Chair: Tom Hutton, San Diego Supercomputer Center
Program Chair: Radu Sion, Stony Brook University
 

09:00-09:45 - Opening & Keynote

John N. Stewart, Vice President and Chief Security Officer, Cisco Systems, Inc.
 

Break

 

10:00-11:00 - Session 1: Networking I

Chair: Lujo Bauer, Carnegie Mellon University
 

Plaintext-Recovery Attacks Against Datagram TLS
Distinguished Paper Award

Kenneth Paterson and Nadhem Alfardan
We describe an efficient and full plaintext recovery attack against the OpenSSL implementation of DTLS, and an efficient, partial plaintext recovery attack against the GnuTLS implementation of DTLS. We discuss the reasons why these implementations are insecure, drawing lessons for secure protocol design and implementation in general.
 

ANDaNA: Anonymous Named Data Networking Application

Steven Dibenedetto, Paolo Gasti, Gene Tsudik and Ersin Uzun
Named Data Networking (NDN) is an example of content-centric networking. While offering some privacy-friendly features, NDN also prompts certain privacy concerns. We examine NDN privacy characteristics and describe an initial approach to communication privacy: ANDaNA, an overlay that borrows some TOR concepts. We also discuss preliminary performance results.
 

Persistent OSPF Attacks

Gabi Nakibly, Alex Kirshon, Dima Gonikman and Dan Boneh
We present new OSPF attacks that exploit design vulnerabilities in the protocol specification. These new attacks can affect the Link State Advertisements (LSA) of routers not controlled by the attacker while evading the OSPF "fight-back" mechanism. As a result, an attacker can persistently control the routing tables of routers it does not control, thereby enabling the attacker to eavesdrop and modify traffic.
 

Break

 

11:10-12:10 - Session 2: Social Networks and User Behavior I

Chair: Yongdae Kim, University of Minnesota
 

You are what you like! Information leakage through users' Interests

Abdelberi Chaabane, Gergely Acs and Mohamed Ali Kaafar
We show how seemingly harmless interests, such as Music interests, can leak privacy sensitive information. We infer users' undisclosed attributes using other users' public attributes sharing similar interests. We validate our technique on more than 110K Profiles to show that it efficiently predicts attributes that are often hidden.
 

X-Vine: Secure and Pseudonymous Routing in DHTs Using Social Networks

Prateek Mittal, Matthew Caesar and Nikita Borisov
We present X-Vine, a protection mechanism for P2P networks that operates entirely by communicating over social network links. X-Vine is resilient to Sybil attacks, while requiring only logarithmic state per node. X-Vine also preserves the privacy of user's social network contacts and provides a basis for pseudonymous communication.
 

Towards Online Spam Filtering in Social Networks

Hongyu Gao, Yan Chen, Kathy Lee, Diana Palsetia and Alok Choudhary
This paper presents an online spam filtering system to inspect messages in online social networks. We propose to use text shingling and incremental clustering to reconstruct spam messages into campaigns in real-time for classification rather than examine them individually. Accordingly, the system adopts novel features that effectively characterize spam campaigns.
 

12:10-13:30 - Lunch

 

13:30-14:50 - Session 3: Mobile Networks

Chair: Ahmad-Reza Sadeghi, Technical University Darmstadt
 

Location leaks over the GSM air interface

Denis Foo Kune, John Koelndorfer, Nicholas Hopper and Yongdae Kim
University of Minnesota researchers have discovered cellular networks leaking the locations of their subscribers. Using a cheap feature phone and an open-source project, attackers listen to unencrypted broadcast messages from the towers to determine victims in the vicinity. The researchers introduce cheap and easily deployable defenses for the core network.
 

Track Me If You Can: On the Effectiveness of Context-based Identifier Changes in Deployed Mobile Networks

Laurent Bindschaedler, Murtuza Jadliwala, Igor Bilogrevic, Imad Aad, Philip Ginzboorg, Valtteri Niemi and Jean-Pierre Hubaux
Location privacy is a major concern for mobile users. This work provides the first experimental evidence about the effectiveness of context-based identifier-change mechanisms in protecting users' location privacy in currently deployed wireless systems. By means of simple probabilistic tracking algorithms in a real mobile network setting, we show that these techniques are largely ineffective in protecting location privacy of mobile users.
 

You Can Run, but You Can’t Hide: Exposing Network Location for Targeted DoS Attacks in Cellular Networks

Zhiyun Qian, Zhaoguang Wang, Qiang Xu, Z. Morley Mao, Ming Zhang and Yi-Min Wang
We study how to locate online mobile devices associated with a target network location without cooperation from these devices. Such hit-list can greatly benefit many existing targeted DoS attacks such as signaling attack. Our technique relies on developing and measuring network signatures consisting of both static and dynamic features of key network elements such as Radio Network Controllers (RNCs).
 

Weaponizing Femtocells: The Effect of Rogue Devices on Mobile Telecommunications

Nico Golde, Kévin Redon and Ravishankar Borgaonkar
The paper analyses the security of a commercially deployed femtocell solution. During this study several vulnerabilities have been identified, both in the configuration of the specific operator as well as the femtocell architecture. The authors continue to highlight the impact of these vulnerabilities in practice, affecting all aspects of subscriber security in 3G and operator infrastructure security.
 

Break

 

15:05-16:25 - Session 4: Clouds/Crypto

Chair: Kristin Lautner, Microsoft Research
 

Privacy-preserving Logarithmic-time Search on Encrypted Data in Cloud

Yanbin Lu
This paper presents a scheme supporting logarithmic-time search over encrypted data. The scheme is aimed at a cloud database environment where database owner outsources encrypted database to cloud server and later users can use search tokens and decryption keys delegated by the owner to search and decrypt matching records. Both cloud server and users learn limited information during the querying.
 

Large-Scale Privacy-Preserving Mapping of Human Genomic Sequences on Hybrid Clouds

Yangyi Chen, Bo Peng, Xiaofeng Wang and Haixu Tang
Read mapping is a prerequisite for most human DNA analyses. This operation needs an enormous amount of computation resources and cannot be outsources to commercial clouds due to privacy concerns. In this paper, we present the first technique that makes it possible to practically map millions of sequences onto the whole genome over hybrid clouds, in a privacy-preserving manner.
 

Making argument systems for outsourced computation practical (sometimes)

Srinath Setty, Richard Mcpherson, Andrew Blumberg and Michael Walfish
It has long been known that, to achieve unconditionally verifiable outsourced computation, probabilistically checkable proofs (PCPs) and argument systems offered solutions in theory but were hopeless in practice. This paper describes a system that reduces the costs of this machinery by 20 orders of magnitude, resulting in a built system for outsourced computation that is in striking distance of practical.
 

Towards Practical Oblivious RAM

Emil Stefanov, Elaine Shi and Dawn Song
We investigate techniques for making Oblivious RAM practical. We propose an O-RAM construction achieving an overhead of 20-35X, about 63 times faster than the best existing scheme. We employ a novel technique called partitioning, which allows us to break down the O-RAM problem into smaller instances. Our construction also achieves poly-logarithmic worst-case cost.
 

Break

 

16:40-18:00 - Session 5: Posters

Chair: Radu Sion, Stony Brook University
 

Hubble: Transparent and Extensible Malware Analysis by Combining Hardware Virtualization and Software Emulation

Lok Yan, Manjukumar Jayachandra, Mu Zhang, Heng Yin - Syracuse University
 

FreeMarket: Shopping for free in Android applications

Daniel Reynaud, Dawn Song, Tom Magrino, Edward Wu, Richard Shin - UC Berkeley
 

Distance Hijacking Attacks on Distance Bounding Protocols

Cas Cremers, Kasper Bonne Rasmussen, Srdjan Capkun - ETH Zurich
 

Throttling Tor Bandwidth Parasites

Rob Jansen, Nicholas Hopper, Paul Syverson - Naval Research Laboratory and University of Minnesota
 

Short Break

 

Taking Routers Off Their Meds: Why Assumptions Of Router Stability Are Dangerous

Maxfield Schuchard, Christopher Thompson, Nicholas Hopper, Yongdae Kim - University of Minnesota
 

Newton Meets Vivaldi: Using Physical Laws to Secure Virtual Coordinate Systems

Jeff Seibert, Sheila Becker, Cristina Nita-Rotaru, Radu State - Purdue University, University of Luxembourg
 

Charm: A Framework for Rapidly Prototyping Cryptosystems

Joseph A. Akinyele, Matthew D. Green, Aviel D. Rubin - Johns Hopkins University
 

Abuse Detection and Prevention Systems at a Large Scale Video Sharing Website

Yu-To Chen, Pierre Grinspan, Blake Livingston, Palash Nandy, Brian Palmer - YouTube LLC
 

18:30-20:00 - Opening Reception


Tuesday, 7 February

07:30-08:15 - Continental Breakfast

08:15-09:35 - Session 6: Applied Crypto

Chair: Elaine Shi, UC Berkeley and Parc
 

Access Pattern disclosure on Searchable Encryption: Ramification, Attack and Mitigation

Mohammad Islam, Mehmet Kuzu and Murat Kantarcioglu
In this paper, we present an attack model on searchable encryption protocols that exploits access pattern leakage to disclose significant amount of confidential information. Furthermore, we propose a simple noise addition based mitigation technique that can render such an inference attack significantly more difficult. Finally, we empirically justify our claim by presenting our experimental results on a real world dataset.
 

On Limitations of Designing Leakage-Resilient Password Systems: Attacks, Principals and Usability
Distinguished Paper Award

Qiang Yan, Jin Han, Yingjiu Li and Robert H. Deng
Designing leakage-resilient password systems (LRPSs) for unaided users (e.g. against shoulder-surfing or key logger) remains a challenge today despite two decades of intensive research. This paper demonstrates that most existing LRPSs suffer from two generic attacks. We introduce five design principles accordingly and propose a quantitative analysis framework on the usability costs of LRPSs.
 

Adaptive Password-Strength Meters from Markov Models

Claude Castelluccia, Markus Duermuth and Daniele Perito
Measuring the strength of passwords is crucial to ensure the security of password-based authentication. However, current password strength meters have limited accuracy and are too simple to gauge the complexity of passwords. We present the concept of adaptivepassword strength meters that estimate passwordstrength using Markov-models.
 

Private Set Intersection: Are Garbled Circuits Better than Custom Protocols?

Yan Huang, David Evans and Jonathan Katz
Private Set Intersection (PSI) has many applications for privacy-preserving computation and much research has been devoted to designing custom PSI protocols. We show that generic secure computation techniques built using Yao's garbled circuit method can often be competitive with custom protocols and can scale to million-element sets, while allowing much easier integration into applications.
 

Break

 

9:45-11:35 - Session 7: Smartphones

Chair: Peng Ning, North Carolina State University
 

Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications

Sebastian Schrittwieser, Peter Frühwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber and Edgar Weippl
Recently, a new generation of Internet-based messaging applications for smartphones was introduced. While user numbers are estimated in the millions, little attention has so far been paid to the security of these applications. Our experimental results revealed major security flaws, allowing attackers to hijack accounts, spoof sender-IDs, or enumerate subscribers.
 

MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones

Lucas Davi, Alexandra Dmitrienko, Manuel Egele, Thomas Fischer, Thorsten Holz, Ralf Hund, Stefan Nürnberger and Ahmad-Reza Sadeghi
Control-flow attacks constitute severe threats to software programs on various computing platforms. While control-flow integrity (CFI), a general approach to prohibit these attacks, exist for Intel x86, there is no such a solution for smartphones. We present a novel framework, MoCFI (Mobile CFI) that enforces CFI on-the-fly at runtime on smartphones without requiring source code.
 

Towards Taming Privilege-Escalation Attacks on Android

Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, Ahmad-Reza Sadeghi and Bhargava Shastry
Android is vulnerable to application-level privilege escalation attacks (confused deputy and colluding applications). We present the design and implementation of a security framework for Android towards mitigating these attacks through a system-centric and policy-driven approach with runtime monitoring of communication channels between applications at multiple layers (middleware IPC, file-system, and network).
 

Systematic Detection of Capability Leaks in Stock Android Smartphones

Michael Grace, Yajin Zhou, Zhi Wang and Xuxian Jiang
In this research, we systematically analyze eight flagship Android smartphones from leading manufacturers and discover that the stock phone images do not properly enforce the Android permission model. Sensitive user data and dangerous features on the phones are unsafely exposed to other applications which do not have the proper permission, a security violation we term a capability leak.
 

Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets

We developed a system called DroidRanger to detect known or unknown malicious Android applications. The evaluation with 204,040 applications collected from five different Android marketplaces in May-June 2011 reveals 211 malicious ones: 32 from the official Android Market and179 from alternative markets. DroidRanger also successfully uncoveredtwo zero-day malware families in the collection.
 

Break

 

11:45-12:45 - Keynote: Sipping from a fire hose: the future of human information processing and security

David Brin,  Scientist and New York Times Best Selling, award-winning science-fiction author
 

12:45-14:00 - Lunch

 

14:00-14:25 - Security experimentation opportunities on the GENI platform

Vicraj Thomas, BBN Technologies, Inc.
 

Break

 

14:35-15:00 - Internet2's Researcher Support Service and R&E Network Research Liaison Program

Steve Wolff, Internet2
 

Break

 

15:15-16:15 - Session 8: Social Networks and User Behavior II

Chair: Konstantin Beznosov, University of British Columbia
 

Insights into User Behavior in Dealing with Internet Attacks

Kaan Onarlioglu, Utku Ozan Yilmaz, Engin Kirda and Davide Balzarotti
Internet attacks have a strong human aspect; however, the behavior of users when they face threats, and the way they evaluate the security implications of their actions remain largely unexplored. In this paper, we describe an experiment with 164 Internet users and discuss their behavior when confronted with prevalent attacks.
 

PathCutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks

Yinzhi Cao, Vinod Yegneswaran, Phillip Porras and Yan Chen
Worms exploiting cross-site scripting (XSS) vulnerabilities rampantly infect millions of web pages in popular social networks. PathCutter is a new approach to severing the self-propagation path of XSS JavaScript worms that blocks the issuance of unauthorized HTTP requests by enforcing view separation to restrict DOM access across different client-side views.
 

The Latent Community Model for Detecting Sybils in Social Networks

Zhuhua Cai and Christopher Jermaine
We propose a new statistical model and associated learning algorithm for detecting Sybil attacks in online social networks, which groups the nodes in the network into closely linked communities positioned in a latent Euclidean space. Our model outperforms state of the art algorithms in simulated attacks on real network topologies.
 

Break

 

16:30-17:30 - Session 9: Privacy and Anonymity

Chair: Paul Syverson, Naval Research Laboratory
 

BLACR: TTP-Free Blacklistable Anonymous Credentials with Reputation

Man Ho Au, Apu Kapadia and Willy Susilo
Anonymity can give users the license to misbehave. BLACR is the first scheme to generalize "reputation based anonymous blacklisting", where users can be blocked based on their overall behavior while maintaining their privacy. BLACR also uses an "express lane" technique to greatly speed up authentication and make such schemes practical.
 

Accountable Wiretapping -or- I know they can hear you now

Adam Bates, Kevin Butler, Micah Sherr, Clay Shields, Patrick Traynor and Dan Wallach
In many democratic countries, CALEA wiretaps are used by law enforcement agencies to perform investigations and gather evidence. This paper proposes a lightweight accountable wiretapping architecture for secure auditing of existing CALEA systems. Based on publicly available wiretap reporting statistics, we conservatively estimate that our architecture can support tamper-evident logging for the US' ongoing CALEA wiretaps using three commodity PCs.
 

Shadow: Running Tor in a Box for Accurate and Efficient Experimentation

Rob Jansen and Nicholas Hopper
We present the design and implementation of Shadow, an open-source software architecture for efficiently running accurate, large scale Tor experiments on a single machine. Using Shadow, we evaluate Tor's EWMA scheduling algorithm, and show that, contrary to previous results on small networks, performance can decrease significantly in realistic deployments.
 

19:00-21:00 - Buffet Dinner and Rump Session

Rump Session Chair: Peter Williams, Stony Brook University

 

Wednesday, 8 February

07:30-08:30 - Continental Breakfast
08:30-09:50 - Session 10: Host Security
Chair: Xuxian Jiang, North Carolina State University
 

Discovering Semantic Data of Interest from Un-mappable Memory with Confidence

Zhiqiang Lin, Junghwan Rhee, Chao Wu, Xiangyu Zhang and Dongyan Xu
Memory pages belonging to a terminated process may remain in a system for non-trivial period of time. Discovering semantic information from those memory pages is useful in cyber-forensics. We present a technique called DIMSUM for recognizing data structure instances -- without memory mapping information. Via probabilistic inference, DIMSUM is able to identify semantic data of interest with quantifiable confidence.
 

SecureSwitch: BIOS-Assisted Isolation and Switch between Trusted and Untrusted Commodity OSes

Kun Sun, Jiang Wang, Fengwei Zhang and Angelos Stavrou
We introduce a novel BIOS-assisted mechanism for secure generation and management of trusted execution environments. Our approach is capable of completely segregating trusted and untrusted operations. The aim is to be user friendly and swiftly switch - it takes approximately 6 seconds - between execution environments running in a physical machine without requiring any specialized hardware, OS, or application modifications.
 

SMART: Secure and Minimal Architecture for (Establishing Dynamic) Root of Trust

Karim Eldefrawy, Gene Tsudik, Aurélien Francillon and Daniele Perito
We construct a hardware security architecture (called SMART) for efficient and secure establishment of a dynamic root of trust in remote embedded devices. It is geared towards low-end MCUs and requires minimal hardware changes. Its feasibility and practicality are demonstrated on two common MCU platforms: AVR and MSP430.
 

Kruiser: Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring

Donghai Tian, Qiang Zeng, Dinghao Wu, Peng Liu and Changzhen Hu
This paper presents Kruiser, a concurrent kernel heap buffer overflow monitor. Leveraging the multi-core architectures, Kruiser migrates security enforcement from the kernel's normal execution to a concurrent monitor process, which is protected using contemporary virtualization features. To reduce the synchronization overhead between the monitor process and the running kernel, Kruiser adopts a novel semi-synchronized non-blocking monitoring algorithm.
 

Break

 

10:00-10:45 - Keynote: Authentication at Scale

Eric Grosse, Vice President of Security Engineering, Google
 

Break

 

11:00-12:20 - Session 11: Web

Chair: Nikita Borisov, University of Illinois at Urbana Champaign
 

WarningBird: Detecting Suspicious URLs in Twitter Stream

Sangho Lee and Jong Kim
We introduce WarningBird, a real-time suspicious URL detection system for Twitter.To detect cloaked suspicious URLs, we investigate correlated redirect chains of URLs included in a number of tweets.Evaluation results show that our system can accurately and efficiently classify large tweet samples from the Twitter public timeline.
 

Using replicated execution for a more secure and reliable web browser

Hui Xue, Nathan Dautenhahn and Samuel King
Modern web browsers are complex. Individually, they are all prone to security vulnerabilities and crashes.However, major browsers are distinct implementations that rarely share the same vulnerability. In other words, a single attack rarely succeeds in exploiting all browsers.We propose Cocktail, a system using replicated execution of Firefox, Google Chrome,and Opera to defend against browser attacks and withstand browser crashes.
 

Host Fingerprinting and Tracking on the Web: Privacy and Security Implications

Ting-Fang Yen, Yinglian Xie, Fang Yu, Roger Peng Yu and Martin Abadi
This paper presents a large-scale study to quantify the amount of information revealed by common host identifiers, based on month-long datasets collected by Hotmail and Bing. It further demonstrates the privacy and security implications of host-tracking in the context of cookie churn analysis and host mobility study, where we uncover previously undetected cookie-forwarding attacks.
 

Chrome Extensions: Threat Analysis and Countermeasures

Lei Liu, Xinwen Zhang, Guanhua Yan and Songqing Chen
The Chrome browser employs least privileges and privilege separation principles to protect malicious websites from damaging the browser system via extensions. In this work we reveal that Chrome's extension security model is not a panacea for all possible attacks with browser extensions. We demonstrated attack scenarios from malicious browser extensions and proposed a few countermeasures accordingly.
 

12:20-13:40 - Lunch

 

13:40-15:00 - Session 12: Networking II

Chair: Yan Chen, Northwestern University
 

Ghost Domain Names: Revoked Yet Still Resolvable

Jian Jiang, Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu
It is a common belief that one can delete a bad domain from DNS registry to stop related malicious activities. Surprisingly, the deleted domain can still be kept alive worldwide due to an unnoticed vulnerability in DNS. This paper presents the phenomenon of ghost domain names and the mechanism behind.
 

ShortMAC: Efficient Data-Plane Fault Localization

Xin Zhang, Zongwei Zhou, Hsu-Chun Hsiao, Tiffany Hyun-Jin Kim, Adrian Perrig and Patrick Tague
Data-plane fault localization is a promising means to enhancing network availability. However, existing faultlocalization protocols cannot achieve a practical tradeoff between security and efficiency. In this paper, we propose an efficient fault localization protocol called ShortMAC, which leverages probabilistic packet authentication and achieves 100 - 10000 times lower detection delay and overhead than related work.
 

Bypassing Space Explosion in Regular Expression Matching for Network Intrusion Detection and Prevention Systems

Jignesh Patel, Alex Liu and Eric Torng
NDSes/NPSes use regular expressions, represented as automata, to detect security threats. Prior automata construction algorithms use a “Union then Minimize'' framework, which leads to extensive memory usage. In this paper, we propose a “Minimize then Union'' framework for constructing compact alternative automata focusing on the DDFA. In our experiments, our algorithm runs up to 302 times faster and uses 1390 times less memory than previous algorithms.
 

The Case for Prefetching and Prevalidating TLS Server Certificates

Emily Stark, Lin-Shung Huang, Dinesh Israni, Collin Jackson and Dan Boneh
By prefetching and prevalidating server certificates, web browsers can enable TLS handshakes with zero round trips that are up to four times faster than a normal handshake. This proposal improves web security by allowing more time for certificate validation and making it less costly for websites to enable TLS.
 

Break

 

15:10-15:50 - Session 13: Distributed Systems

Chair: Adrian Perrig, Carnegie Mellon University
 

Gatling: Automatic Attack Discovery in Large-Scale Distributed Systems

Hyojeong Lee, Jeff Seibert, Charles Killian and Cristina Nita-Rotaru
We propose Gatling, a framework that automatically finds performance attacks caused by insider attackers in large-scale message-passing distributed systems. In performance attacks, malicious nodes deviate from the protocol with the goal of degrading system performance. We applied Gatling to six systems and found a total of 41 attacks.
 

Automated Synthesis of Secure Distributed Applications

Michael Backes, Matteo Maffei and Kim Pecina
Designing distributed applications that preserve the privacy of users is a daunting task, which even security experts consider error-prone. We present a solution based on an intuitive, high-level specification language that hides cryptographic and networking details, and a compiler that automatically turns user-provided system specifications into secure executable code.
 

Break

 

16:00-17:00 - Session 14: Software

Chair: Dongyan Xu, Purdue University
 

A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware

Kangkook Jee, Georgios Portokalidis, Vasileios P. Kemerlis, Soumyadeep Ghosh, David I. August and Angelos D. Keromytis
We present and evaluate a novel methodology for improving the performance overhead of dynamic data flow tracking (DDFT) frameworks, by combining static and dynamic analysis. Specifically, we separate the program logic from the corresponding tracking logic, and apply optimization techniques that eliminate redundant tracking and minimize interference with the target program. Our results indicate a DDFT speedup by as much as 2.23x.
 

Static detection of C++ vtable escape vulnerabilities in binary code

David Dewey and Jon Giffin
The complexities of C++ create new memory safety vulnerabilities not present in simpler software. We present vtable escape bugs, a type confusion error present in real, deployed C++ software, and we show how automated binary code analyses can statically detect the security defects by reconstructing high-level classes and objects.
 

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis

Mingwei Zhang, Aravind Prakash, Xiaolei Li, Zhenkai Liang and Heng Yin
Due to the complexity of the victim programs and sophistication of recent exploits, existing diagnosis techniques either miss important attack steps or report too much irrelevant information. As the key steps in memory-corruption exploits often involve pointer misuses, we proposed PointerScope to automatically infer types on binary execution, detect pointer misuses, and then highlight the key steps of the exploit.