Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)最新文献

{"title":"Routing in the Dark: Pitch Black","authors":"Nathan S. Evans, Chris GauthierDickey, Christian Grothoff","doi":"10.1109/ACSAC.2007.7","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.7","url":null,"abstract":"In many networks, such as mobile ad-hoc networks and friend-to-friend overlay networks, direct communication between nodes is limited to specific neighbors. Often these networks have a small-world topology; while short paths exist between any pair of nodes in small-world networks, it is non-trivial to determine such paths with a distributed algorithm. Recently, Clarke and Sandberg proposed the first decentralized routing algorithm that achieves efficient routing in such small-world networks. This paper is the first independent security analysis of Clarke and Sandberg's routing algorithm. We show that a relatively weak participating adversary can render the overlay ineffective without being detected, resulting in significant data loss due to the resulting load imbalance. We have measured the impact of the attack in a testbed of 800 nodes using minor modifications to Clarke and Sandberg's implementation of their routing algorithm in Freenet. Our experiments show that the attack is highly effective, allowing a small number of malicious nodes to cause rapid loss of data on the entire network. We also discuss various proposed countermeasures designed to detect, thwart or limit the attack. While we were unable to find effective countermeasures, we hope that the presented analysis will be a first step towards the design of secure distributed routing algorithms for restricted-route topologies.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"54 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127112286","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Extending the Java Virtual Machine to Enforce Fine-Grained Security Policies in Mobile Devices","authors":"Iulia Ion, Boris Dragovic, B. Crispo","doi":"10.1109/ACSAC.2007.36","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.36","url":null,"abstract":"The growth of the applications and services market for mobile devices is currently slowed down by the lack of a flexible and reliable security infrastructure. The development and adoption of a new generation of mobile applications depends on the end user's ability to finely manage system security and control application's behavior. The virtual execution environment for mobile software and services should support the security needs of users and applications. This paper proposes an extension to the security architecture of the java virtual machine for mobile systems, to support fine-grained policy specification and run-time enforcement. Access control decisions are based on system state, application and system history data, as well as request specific parameters. The prototype implementation is running on desktops, as emulator, and on mobile devices, proving the high level of flexibility and security, with excellent performance provided by the extended architecture.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124246247","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Improving Signature Testing through Dynamic Data Flow Analysis","authors":"Christopher Krügel, D. Balzarotti, William K. Robertson, G. Vigna","doi":"10.1109/acsac.2007.40","DOIUrl":"https://doi.org/10.1109/acsac.2007.40","url":null,"abstract":"The effectiveness and precision of network-based intrusion detection signatures can be evaluated either by direct analysis of the signatures (if they are available) or by using black-box testing (if the system is closed-source). Recently, several techniques have been proposed to generate test cases by automatically deriving variations (or mutations) of attacks. Even though these techniques have been useful in identifying \"blindspots\" in the signatures of closed-source, network-based intrusion detection systems, the generation of test cases is performed in a random, un- guided fashion. The reason is that there is no information available about the signatures to be tested. As a result, identifying a test case that is able to evade detection is difficult. In this paper, we propose a novel approach to drive the generation of test cases by using the information gathered by analyzing the dynamic behavior of the intrusion detection system. Our approach applies dynamic dataflow analysis techniques to the intrusion detection system to identify which parts of a network stream are used to detect an attack and how these parts are matched by a signature. The result of our analysis is a set of constraints that is used to guide the black-box testing process, so that the mutations are applied to only those parts of the attack that are relevant for detection. By doing this, we are able to perform a more focused generation of the test cases and improve the process of identifying an attack variation that evades detection.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130762565","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Countering False Accusations and Collusion in the Detection of In-Band Wormholes","authors":"D. Sterne, G. Lawler, R. Gopaul, B. Rivera, K. Marcus, P. Kruus","doi":"10.1109/ACSAC.2007.41","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.41","url":null,"abstract":"Cooperative intrusion detection techniques for MANETs utilize ordinary computing hosts as network intrusion sensors. If compromised, these hosts may inject bogus data into the intrusion detection system to hide their activities or falsely accuse well-behaved nodes. Approaches to Byzantine fault tolerance involving voting are potentially applicable, but must address the fact that only nodes in particular topological locations at particular times are qualified to vote on whether an attack occurred. We examine these issues in the context of a prototype distributed detector for self-contained, in-band wormholes in OLSR networks. We propose an opportunistic voting algorithm and present test results from a 48-node testbed in which colluding attackers generate corroborating false accusations against pairs of innocent nodes. The results indicate that opportunistic voting can instantaneously suppress false accusations when the network topology and routes chosen by OLSR provide a sufficient number of nearby honest observers to outvote the attackers.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128541086","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Security Usability Principles for Vulnerability Analysis and Risk Assessment","authors":"A. Jøsang, Bander AlFayyadh, T. Grandison, Mohammed Al Zomai, J. McNamara","doi":"10.1109/ACSAC.2007.14","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.14","url":null,"abstract":"Usability is the weakest link in the security chain of many prominent applications. A set of security usability principles should therefore be considered when designing and engineering IT security solutions. When improving the usability of existing security applications, it is necessary to examine the underlying security technologies used to build them, and consider whether they need to be replaced by totally new security technologies that provide a better basis for good usability. This paper examines a set of security usability principles, proposes how they can be incorporated into the risk management process, and discusses the benefits of applying these principles and process to existing and future security solutions.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116451187","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Efficient Detection of Delay-Constrained Relay Nodes","authors":"Baris Coskun, N. Memon","doi":"10.1109/ACSAC.2007.29","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.29","url":null,"abstract":"Relay nodes are a potential threat to networks since they are used in many malicious situations like stepping stone attacks, botnet communication, peer-to-peer streaming etc. Quick and accurate detection of relay nodes in a network can significantly improve security policy enforcement. There has been significant work done and novel solutions proposed for the problem of identifying relay flows active within a node in the network. However, these solutions require quadratic number of comparisons in the number of flows. In this paper, a related problem of identifying relay nodes is investigated where a relay node is defined as a node in the network that has an active relay flow. The problem is formulated as a variance estimation problem and a statistical approach is proposed for the solution. The proposed solution requires linear time and space in the number of flows and therefore can be employed in large scale implementations. It can be used on its own to identify relay nodes or as a first step in a scalable relay flow detection solution that performs known quadratic time analysis techniques for relay flow detection only on nodes that have been detected as relay nodes. Experimental results show that the proposed scheme is able to detect relay nodes even in the presence of intentional inter-packet delays and chaff packets introduced by adversaries in order to defeat timing based detection algorithms.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114190534","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Bonsai: Balanced Lineage Authentication","authors":"Ashish Gehani, U. Lindqvist","doi":"10.1109/ACSAC.2007.45","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.45","url":null,"abstract":"The provenance of a piece of data is of utility to a wide range of applications. Its availability can be drastically increased by automatically collecting lineage information during filesystem operations. However, when data is processed by multiple users in independent administrative domains, the resulting filesystem metadata can be trusted only if it has been cryptographically certified. This has three ramifications: it slows down filesystem operations, it requires more storage for metadata, and verification depends on attestations from remote nodes. We show that current schemes do not scale in a distributed environment. In particular, as data is processed, the latency of filesystem operations will degrade exponentially. Further, the amount of storage needed for the lineage metadata will grow at a similar rate. Next, we examine a completely decentralized scheme that has fast filesystem operations with minimal storage overhead. We demonstrate that its verification operation will fail with an exponentially increasing likelihood as more nodes are unreachable (because of being powered off or disconnected from the network). Finally, we present a new scheme, Bonsai, where the verification failure is significantly reduced by tolerating a small increase in filesystem latency and storage overhead for certification compared to file systems without lineage certification.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130924026","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Automated Format String Attack Prevention for Win32/X86 Binaries","authors":"Wei Li, T. Chiueh","doi":"10.1109/ACSAC.2007.23","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.23","url":null,"abstract":"A format string attack exploits the fact that variadic functions determine the exact number of input arguments based on the format string argument, and compromises the victim application's address space by accessing data areas beyond the original input argument list the caller prepares. This paper describes the design, implementation and evaluation of a Win32 binary transformation tool called Lisbon, which transparently inserts into Win32 binaries additional checks that protect them from format string vulnerabilities. Lisbon casts the format string attack prevention problem as an input argument list bound checking problem. To reduce the run-time checking overhead, Lisbon exploits the debug register hardware, which is available in most mainstream CPUs including Intel's X86 architecture, to detect if a callee accesses data outside the input argument list. Moreover, Lisbon is able to detect format string attacks without interpreting their format strings and is thus potentially applicable to similar attacks against other functions that access input arguments in the same way as printf (). The runtime throughput penalty of the first Lisbon prototype is under 2% for a set of test network applications that are known to be vulnerable to format string attacks.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125428870","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Breaking Visual CAPTCHAs with Naive Pattern Recognition Algorithms","authors":"Jeff Yan, A. E. Ahmad","doi":"10.1109/ACSAC.2007.47","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.47","url":null,"abstract":"Visual CAPTCHAs have been widely used across the Internet to defend against undesirable or malicious bot programs. In this paper, we document how we have broken most such visual schemes provided at Captchaservice.org, a publicly available web service for CAPTCHA generation. These schemes were effectively resistant to attacks conducted using a high-quality Optical Character Recognition program, but were broken with a near 100% success rate by our novel attacks. In contrast to early work that relied on sophisticated computer vision or machine learning algorithms, we used simple pattern recognition algorithms but exploited fatal design errors that we discovered in each scheme. Surprisingly, our simple attacks can also break many other schemes deployed on the Internet at the time of writing: their design had similar errors. We also discuss defence against our attacks and new insights on the design of visual CAPTCHA schemes.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117186651","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Tampering with Special Purpose Trusted Computing Devices: A Case Study in Optical Scan E-Voting","authors":"A. Kiayias, L. Michel, A. Russell, N. Shashidhar, Andrew See, Alexander A. Shvartsman, S. Davtyan","doi":"10.1109/ACSAC.2007.16","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.16","url":null,"abstract":"Special purpose trusted computing devices are currently being deployed to offer many services for which the general purpose computing paradigm is unsuitable. The nature of the services offered by many of these devices demand high security and reliability, as well as low cost and low power consumption. Electronic Voting machines is a canonical example of this phenomenon. With electronic voting machines currently being used in much of the United States and several other countries, there is a strong need for thorough security evaluation of these devices and the procedures in place for their use. In this work, we first put forth a general framework for special purpose trusted computing devices. We then focus on Optical Scan (OS) electronic voting technology as a specific instance of this framework. OS terminals are a popular e-voting technology with the decided advantage of a user-verified paper trail: the ballot sheets themselves. Still election results are based on machine- generated totals as well as machine-generated audit reports to validate the voting process. In this paper we present a security assessment of the Diebold AccuVote Optical Scan voting terminal (AV-OS), a popular OS terminal currently in wide deployment anticipating the 2008 Presidential elections. The assessment is developed using exclusively reverse-engineering, without any technical specifications provided by the machine suppliers. We demonstrate a number of security issues that relate to the machine's proprietary language, called AccuBasic, that is used for reporting election results. While this language is thought to be benign, especially given that it is essentially sandboxed by the firmware to have only read access, we demonstrate that it is powerful enough to (i) strengthen known attacks against the AV-OS so that they become undetectable prior to elections (and thus significantly increasing their magnitude) or, (ii) to conditionally bias the election results to reach a desired outcome. Given the discovered vulnerabilities and attacks we proceed to discuss how random audits can be used to validate with high confidence that a procedure carried out by special purpose devices such as the AV-OS has not been manipulated. We end with a set of recommendations for the design and safe-use of OS voting systems.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132703016","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}