Annual Computer Security Applications Conference最新文献_第6页

Crypto-Chain: A Relay Resilience Framework for Smart Vehicles 加密链:智能车辆的中继弹性框架

Annual Computer Security Applications Conference Pub Date : 2021-12-06 DOI: 10.1145/3485832.3485920

A. Sani, Dong Yuan, E. Bertino, Zhao Yang Dong

{"title":"Crypto-Chain: A Relay Resilience Framework for Smart Vehicles","authors":"A. Sani, Dong Yuan, E. Bertino, Zhao Yang Dong","doi":"10.1145/3485832.3485920","DOIUrl":"https://doi.org/10.1145/3485832.3485920","url":null,"abstract":"Recent findings show that smart vehicles can be exposed to relay attacks resulting from weaknesses in cryptographic operations, such as authentication and key derivation, or poor implementation of these operations. Relay attacks refer to attacks in which authentication is evaded without needing to attack a smart vehicle itself. They are a recurrent problem in practice. In this paper, we formulate the necessary relay resilience settings for strengthening authentication and key derivation and achieving the secure design and efficient implementation of cryptographic protocols based on universal composability, which allows the modular design and analysis of cryptographic protocols. We introduce Crypto-Chain, a relay resilience framework that extends Kusters’s universal composition theorem on a fixed number of protocol systems to prevent bypass of cryptographic operations and avoid implementation errors. Our framework provides an ideal crypto-chain functionality that supports several cryptographic primitives. Furthermore, we provide an ideal functionality for mutual authentication and key derivation in Crypto-Chain by which cryptographic protocols can use cryptographic operations, knowledge about the computation time of the operations, and cryptographic timestamps to ensure relay resilience. As a proof of concept, we first propose and implement a mutual authentication and key derivation protocol (MKD) that confirms the efficiency and relay resilience capabilities of Crypto-Chain and then apply Crypto-Chain to fix two protocols used in smart vehicles, namely Megamos Crypto and Hitag-AES/Pro.","PeriodicalId":175869,"journal":{"name":"Annual Computer Security Applications Conference","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129333604","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 1

Practical Attestation for Edge Devices Running Compute Heavy Machine Learning Applications 运行计算重型机器学习应用的边缘设备的实际认证

Annual Computer Security Applications Conference Pub Date : 2021-12-06 DOI: 10.1145/3485832.3485909

Ismi Abidi, Vireshwar Kumar, Rijurekha Sen

{"title":"Practical Attestation for Edge Devices Running Compute Heavy Machine Learning Applications","authors":"Ismi Abidi, Vireshwar Kumar, Rijurekha Sen","doi":"10.1145/3485832.3485909","DOIUrl":"https://doi.org/10.1145/3485832.3485909","url":null,"abstract":"Machine Learning (EdgeML) algorithms on edge devices facilitate safety-critical applications like building security management and smart city interventions. However, their wired/wireless connections with the Internet make such platforms vulnerable to attacks compromising the embedded software. We find that in the prior works, the issue of regular runtime integrity assessment of the deployed software with negligible EdgeML performance degradation is still unresolved. In this paper, we present PracAttest, a practical runtime attestation framework for embedded devices running compute-heavy EdgeML applications. Unlike the conventional remote attestation schemes that check the entire software in each attestation event, PracAttest segments the software and randomizes the integrity check of these segments over short random attestation intervals. The segmentation coupled with the randomization leads to a novel performance-vs-security trade-off that can be tuned per the EdgeML application’s performance requirements. Additionally, we implement three realistic EdgeML benchmarks for pollution measurement, traffic intersection control, and face identification, using state-of-the-art neural network and computer vision algorithms. We specify and verify security properties for these benchmarks and evaluate the efficacy of PracAttest in attesting the verified software. PracAttest provides 50x-80x speedup over the state-of-the-art baseline in terms of mean attestation time, with negligible impact on application performance. We believe that the novel performance-vs-security trade-off facilitated by PracAttest will expedite the adoption of runtime attestation on edge platforms.","PeriodicalId":175869,"journal":{"name":"Annual Computer Security Applications Conference","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134156706","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A Cross-role and Bi-national Analysis on Security Efforts and Constraints of Software Development Projects 软件开发项目安全工作与约束的跨角色、跨国家分析

Annual Computer Security Applications Conference Pub Date : 2021-12-06 DOI: 10.1145/3485832.3485922

Fumihiro Kanei, A. Hasegawa, Eitaro Shioji, Mitsuaki Akiyama

{"title":"A Cross-role and Bi-national Analysis on Security Efforts and Constraints of Software Development Projects","authors":"Fumihiro Kanei, A. Hasegawa, Eitaro Shioji, Mitsuaki Akiyama","doi":"10.1145/3485832.3485922","DOIUrl":"https://doi.org/10.1145/3485832.3485922","url":null,"abstract":"Software security, which is often regarded as a non-functional requirement, tends to be less prioritized than other explicit requirements in development projects. For designing security measures that can be used in software development, we must understand the obstacles that prevent the adoption of secure software development practices. In this study, we quantitatively analyzed security efforts and constraints of software development projects through an online survey of software development professionals in the US and Japan (N=664). We revealed how certain characteristics of a development project, such as the project’s contractual relationships or the software’s target users, influence security efforts and constraints. In addition, by comparing the survey results of two groups (developers and managers), we revealed how the gap in their security efforts and constraints influences software security. We believe the results provide insights toward designing usable measures to assist security-related decision-making in software development and conducting appropriate surveys targeting software development professionals.","PeriodicalId":175869,"journal":{"name":"Annual Computer Security Applications Conference","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125373138","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 2

Dicos: Discovering Insecure Code Snippets from Stack Overflow Posts by Leveraging User Discussions 利用用户讨论从堆栈溢出帖子中发现不安全的代码片段

Annual Computer Security Applications Conference Pub Date : 2021-12-06 DOI: 10.1145/3485832.3488026

Hyunji Hong, Seunghoon Woo, Heejo Lee

{"title":"Dicos: Discovering Insecure Code Snippets from Stack Overflow Posts by Leveraging User Discussions","authors":"Hyunji Hong, Seunghoon Woo, Heejo Lee","doi":"10.1145/3485832.3488026","DOIUrl":"https://doi.org/10.1145/3485832.3488026","url":null,"abstract":"Online Q&A fora such as Stack Overflow assist developers to solve their faced coding problems. Despite the advantages, Stack Overflow has the potential to provide insecure code snippets that, if reused, can compromise the security of the entire software. We present Dicos, an accurate approach by examining the change history of Stack Overflow posts for discovering insecure code snippets. When a security issue was detected in a post, the insecure code is fixed to be safe through user discussions, leaving a change history. Inspired by this process, Dicos first extracts the change history from the Stack Overflow post, and then analyzes the history whether it contains security patches, by utilizing pre-selected features that can effectively identify security patches. Finally, when such changes are detected, Dicos determines that the code snippet before applying the security patch is insecure. To evaluate Dicos, we collected 1,958,283 Stack Overflow posts tagged with C, C++, and Android. When we applied Dicos on the collected posts, Dicos discovered 12,458 insecure posts (i.e., 14,719 insecure code snippets) from the collected posts with 91% precision and 93% recall. We further confirmed that the latest versions of 151 out of 2,000 popular C/C++ open-source software contain at least one insecure code snippet taken from Stack Overflow, being discovered by Dicos. Our proposed approach, Dicos, can contribute to preventing further propagation of insecure codes and thus creating a safe code reuse environment.","PeriodicalId":175869,"journal":{"name":"Annual Computer Security Applications Conference","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130351863","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 2

CommanderGabble: A Universal Attack Against ASR Systems Leveraging Fast Speech CommanderGabble:针对利用快速语音的ASR系统的通用攻击

Annual Computer Security Applications Conference Pub Date : 2021-12-06 DOI: 10.1145/3485832.3485892

Zhaohe Zhang, Edwin Yang, Song Fang

{"title":"CommanderGabble: A Universal Attack Against ASR Systems Leveraging Fast Speech","authors":"Zhaohe Zhang, Edwin Yang, Song Fang","doi":"10.1145/3485832.3485892","DOIUrl":"https://doi.org/10.1145/3485832.3485892","url":null,"abstract":"Automatic Speech Recognition (ASR) systems are widely used in various online transcription services and personal digital assistants. Emerging lines of research have demonstrated that ASR systems are vulnerable to hidden voice commands, i.e., audio that can be recognized by ASRs but not by humans. Such attacks, however, often either highly depend on white-box knowledge of a specific machine learning model or require special hardware to construct the adversarial audio. This paper proposes a new model-agnostic and easily-constructed attack, called CommanderGabble, which uses fast speech to camouflage voice commands. Both humans and ASR systems often misinterpret fast speech, and such misinterpretation can be exploited to launch hidden voice command attacks. Specifically, by carefully manipulating the phonetic structure of a target voice command, ASRs can be caused to derive a hidden meaning from the manipulated, high-speed version. We implement the discovered attacks both over-the-wire and over-the-air, and conduct a suite of experiments to demonstrate their efficacy against 7 practical ASR systems. Our experimental results show that the over-the-wire attacks can disguise as many as 96 out of 100 tested voice commands into adversarial ones, and that the over-the-air attacks are consistently successful for all 18 chosen commands in multiple real-world scenarios.","PeriodicalId":175869,"journal":{"name":"Annual Computer Security Applications Conference","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127957684","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 6

Detecting Audio Adversarial Examples with Logit Noising 使用Logit噪声检测音频对抗示例

Annual Computer Security Applications Conference Pub Date : 2021-12-06 DOI: 10.1145/3485832.3485912

N. Park, Sangwoo Ji, Jong Kim

{"title":"Detecting Audio Adversarial Examples with Logit Noising","authors":"N. Park, Sangwoo Ji, Jong Kim","doi":"10.1145/3485832.3485912","DOIUrl":"https://doi.org/10.1145/3485832.3485912","url":null,"abstract":"Automatic speech recognition (ASR) systems are vulnerable to audio adversarial examples that attempt to deceive ASR systems by adding perturbations to benign speech signals. Although an adversarial example and the original benign wave are indistinguishable to humans, the former is transcribed as a malicious target sentence by ASR systems. Several methods have been proposed to generate audio adversarial examples and feed them directly into the ASR system (over-line). Furthermore, many researchers have demonstrated the feasibility of robust physical audio adversarial examples (over-air). To defend against the attacks, several studies have been proposed. However, deploying them in a real-world situation is difficult because of accuracy drop or time overhead. In this paper, we propose a novel method to detect audio adversarial examples by adding noise to the logits before feeding them into the decoder of the ASR. We show that carefully selected noise can significantly impact the transcription results of the audio adversarial examples, whereas it has minimal impact on the transcription results of benign audio waves. Based on this characteristic, we detect audio adversarial examples by comparing the transcription altered by logit noising with its original transcription. The proposed method can be easily applied to ASR systems without any structural changes or additional training. The experimental results show that the proposed method is robust to over-line audio adversarial examples as well as over-air audio adversarial examples compared with state-of-the-art detection methods.","PeriodicalId":175869,"journal":{"name":"Annual Computer Security Applications Conference","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126638258","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 3

OPay: an Orientation-based Contactless Payment Solution Against Passive Attacks OPay:针对被动攻击的定向非接触式支付解决方案

Annual Computer Security Applications Conference Pub Date : 2021-12-06 DOI: 10.1145/3485832.3485887

Mahshid Mehr Nezhad, F. Hao

{"title":"OPay: an Orientation-based Contactless Payment Solution Against Passive Attacks","authors":"Mahshid Mehr Nezhad, F. Hao","doi":"10.1145/3485832.3485887","DOIUrl":"https://doi.org/10.1145/3485832.3485887","url":null,"abstract":"The usage of contactless payment has surged in recent years, especially during the Covid19 pandemic. A Passive relay (PR) attack against a contactless card is a well-known threat, which has been extensively studied in the past with many solutions available. However, with the mass deployment of mobile point-of-sale (mPoS) devices, there emerges a new threat, which we call mPoS-based passive (MP) attacks. In an MP attack, the various components required in a PR attack, including an NFC reader, a wireless link, a remote card emulator, and a remote payment terminal, are conveniently combined into one compact device, hence the attack becomes much easier. Since the attacker and the victim are in the same location, the previous distance bounding or ambient sensor-based solutions are no longer effective. In this paper, we propose a new orientation-based payment solution called OPay. OPay builds on the observation that when a user makes a legitimate contactless payment, the card and the terminal surface are naturally aligned, but in an attack scenario, this situation is less likely to occur. This allows us to distinguish the legitimate payments from passive attacks based on measuring the alignment of orientations. We build a concrete prototype using two Arduino boards embedded with NFC and motion sensors to act as a card and a payment terminal respectively. To evaluate the feasibility, we recruited twenty volunteers in a user study. Participants generally find OPay easy to use, fast and reliable. Experiments show that OPay can substantially reduce the attack success rate by 85-99% with little inconvenience to real users. To our best knowledge, OPay is the first solution that can prevent both the PR and MP attacks, while preserving the existing usage model in contactless payment.","PeriodicalId":175869,"journal":{"name":"Annual Computer Security Applications Conference","volume":"206 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115731863","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 2

Stealing Machine Learning Models: Attacks and Countermeasures for Generative Adversarial Networks 窃取机器学习模型:生成对抗网络的攻击和对策

Annual Computer Security Applications Conference Pub Date : 2021-12-06 DOI: 10.1145/3485832.3485838

Hailong Hu, Jun Pang

引用次数: 13

Optimized Paillier’s Cryptosystem with Fast Encryption and Decryption 基于快速加解密的优化Paillier密码系统

Annual Computer Security Applications Conference Pub Date : 2021-12-06 DOI: 10.1145/3485832.3485842

Huanyu Ma, Shuai Han, H. Lei

{"title":"Optimized Paillier’s Cryptosystem with Fast Encryption and Decryption","authors":"Huanyu Ma, Shuai Han, H. Lei","doi":"10.1145/3485832.3485842","DOIUrl":"https://doi.org/10.1145/3485832.3485842","url":null,"abstract":"In this paper, we propose a new optimization for the Paillier’s additively homomorphic encryption scheme (Eurocrypt’99). At the heart of our optimization is a well-chosen subgroup of the underlying , which is used as the randomness space for masking messages during encryption. The size of the subgroup is significantly smaller than that of , leading to faster encryption and decryption algorithms of our optimization. We establish the one-wayness and semantic security of our optimized Paillier scheme upon those of an optimization (i.e., “Scheme 3”) made by Paillier in Eurocrypt’99. Thus, our optimized scheme is one-way under the partial discrete logarithm (PDL) assumption, and is semantically secure under the decisional PDL (DPDL) assumption. On the other hand, we present a detailed analysis on the concrete security of our optimized scheme under several known methods. To provide 112-bit security, our analysis suggests that a 2048-bit modulus N and a well-chosen subgroup of size 448-bit would suffice. We compare our optimization with existing optimized Paillier schemes, including the Jurik’s optimization proposed by Jurik in his Ph.D. thesis and the Paillier’s optimization in Eurocrypt’99. Our experiments show that, – the encryption of our optimization is about 2.7 times faster than that of the Jurik’s optimization and is about 7.5 times faster than that of the Paillier’s optimization; – the decryption of our optimization is about 4.1 times faster than that of the Jurik’s optimization and has a similar performance with that of the Paillier’s optimization.","PeriodicalId":175869,"journal":{"name":"Annual Computer Security Applications Conference","volume":"262 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133974221","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 3

ARID: Anonymous Remote IDentification of Unmanned Aerial Vehicles 无人机的匿名远程识别

Annual Computer Security Applications Conference Pub Date : 2021-12-06 DOI: 10.1145/3485832.3485834

Pietro Tedeschi, Savio Sciancalepore, R. Di Pietro

{"title":"ARID: Anonymous Remote IDentification of Unmanned Aerial Vehicles","authors":"Pietro Tedeschi, Savio Sciancalepore, R. Di Pietro","doi":"10.1145/3485832.3485834","DOIUrl":"https://doi.org/10.1145/3485832.3485834","url":null,"abstract":"To enable enhanced accountability of Unmanned Aerial Vehicles (UAVs) operations, the US-based Federal Avionics Administration (FAA) recently published a new dedicated regulation, namely RemoteID, requiring UAV operators to broadcast messages reporting their identity and location. The enforcement of such a rule, mandatory by 2022, generated significant concerns on UAV operators, primarily because of privacy issues derived by the indiscriminate broadcast of the plain-text identity of the UAV on the wireless channel. In this paper, we propose ARID, a solution enabling RemoteID-compliant Anonymous Remote Identification of UAVs. The adoption of ARID allows UAVs to broadcast RemoteID-compliant messages using ephemeral pseudonyms that only a Trusted Authority, such as the FAA, can link to the long-term identifier of the UAV and its operator. Moreover, ARID also enforces UAV message authenticity, to protect UAVs against impersonation and spoofed reporting, while requiring an overall minimal toll on the battery budget. Furthermore, ARID generates negligible overhead on the Trusted Authority, not requiring the secure maintenance of any private database. While the security properties of ARID are thoroughly discussed and formally verified with ProVerif, we also implemented a prototype of ARID on a real UAV, i.e., the 3DR-Solo drone, integrating our solution within the popular Poky Operating System, on top of the widespread MAVLink protocol. Our experimental performance evaluation shows that the most demanding configuration of ARID takes only ≈ 11.23 ms to generate a message and requires a mere 4.72 mJ of energy. Finally, we also released the source code of ARID to foster further investigations and development by Academia, Industry, and practitioners.","PeriodicalId":175869,"journal":{"name":"Annual Computer Security Applications Conference","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120956541","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 11