Proceedings 2019 Network and Distributed System Security Symposium最新文献

{"title":"On the Challenges of Geographical Avoidance for Tor","authors":"K. Kohls, K. Jansen, David Rupprecht, Thorsten Holz, C. Pöpper","doi":"10.14722/ndss.2019.23402","DOIUrl":"https://doi.org/10.14722/ndss.2019.23402","url":null,"abstract":"Traffic-analysis attacks are a persisting threat for Tor users. When censors or law enforcement agencies try to identify users, they conduct traffic-confirmation attacks and monitor encrypted transmissions to extract metadata—in combination with routing attacks, these attacks become sufficiently powerful to de-anonymize users. While traffic-analysis attacks are hard to detect and expensive to counter in practice, geographical avoidance provides an option to reject circuits that might be routed through an untrusted area. Unfortunately, recently proposed solutions introduce severe security issues by imprudent design decisions. In this paper, we approach geographical avoidance starting from a thorough assessment of its challenges. These challenges serve as the foundation for the design of an empirical avoidance concept that considers actual transmission characteristics for justified decisions. Furthermore, we address the problems of untrusted or intransparent ground truth information that hinder a reliable assessment of circuits. Taking these features into account, we conduct an empirical simulation study and compare the performance of our novel avoidance concept with existing approaches. Our results show that we outperform existing systems by 22% fewer rejected circuits, which reduces the collateral damage of overly restrictive avoidance decisions. In a second evaluation step, we extend our initial system concept and implement the prototype TrilateraTor. This prototype is the first to satisfy the requirements of a practical deployment, as it maintains Tor’s original level of security, provides reasonable performance, and overcomes the fundamental security flaws of existing systems.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2019-02-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74498944","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Measuring the Facebook Advertising Ecosystem","authors":"Athanasios Andreou, Márcio Silva, Fabrício Benevenuto, Oana Goga, P. Loiseau, A. Mislove","doi":"10.14722/NDSS.2019.23280","DOIUrl":"https://doi.org/10.14722/NDSS.2019.23280","url":null,"abstract":"The Facebook advertising platform has been subject to a number of controversies in the past years regarding privacy violations, lack of transparency, as well as its capacity to be used by dishonest actors for discrimination or propaganda. In this study, we aim to provide a better understanding of the Facebook advertising ecosystem, focusing on how it is being used by advertisers. We first analyze the set of advertisers and then investigate how those advertisers are targeting users and customizing ads via the platform. Our analysis is based on the data we collected from over 600 real-world users via a browser extension that collects the ads our users receive when they browse their Facebook timeline, as well as the explanations for why users received these ads. Our results reveal that users are targeted by a wide range of advertisers (e.g., from popular to niche advertisers); that a non-negligible fraction of advertisers are part of potentially sensitive categories such as news and politics, health or religion; that a significant number of advertisers employ targeting strategies that could be either invasive or opaque; and that many advertisers use a variety of targeting parameters and ad texts. Overall, our work emphasizes the need for better mechanisms to audit ads and advertisers in social media and provides an overview of the platform usage that can help move towards such mechanisms.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2019-02-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78976551","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary","authors":"Dokyung Song, Felicitas Hetzelt, Dipanjan Das, Chad Spensky, Yeoul Na, Stijn Volckaert, G. Vigna, Christopher Krügel, Jean-Pierre Seifert, M. Franz","doi":"10.14722/ndss.2019.23176","DOIUrl":"https://doi.org/10.14722/ndss.2019.23176","url":null,"abstract":"Author(s): Song, Dokyung; Hetzelt, Felicitas; Das, Dipanjan; Spensky, Chad; Na, Yeoul; Volckaert, Stijn; Vigna, Giovanni; Kruegel, Christopher; Seifert, Jean-Pierre; Franz, Michael","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2019-02-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86366772","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"NAUTILUS: Fishing for Deep Bugs with Grammars","authors":"Cornelius Aschermann, Tommaso Frassetto, Thorsten Holz, Patrick Jauernig, A. Sadeghi, D. Teuchert","doi":"10.14722/ndss.2019.23412","DOIUrl":"https://doi.org/10.14722/ndss.2019.23412","url":null,"abstract":"Fuzz testing is a well-known method for efficiently identifying bugs in programs. Unfortunately, when programs that require highly-structured inputs such as interpreters are fuzzed, many fuzzing methods struggle to pass the syntax checks: interpreters often process inputs in multiple stages, first syntactic and then semantic correctness is checked. Only if both checks are passed, the interpreted code gets executed. This prevents fuzzers from executing “deeper” — and hence potentially more interesting — code. Typically, two valid inputs that lead to the execution of different features in the target program require too many mutations for simple mutation-based fuzzers to discover: making small changes like bit flips usually only leads to the execution of error paths in the parsing engine. So-called grammar fuzzers are able to pass the syntax checks by using ContextFree Grammars. Feedback can significantly increase the efficiency of fuzzing engines and is commonly used in state-of-the-art mutational fuzzers which do not use grammars. Yet, current grammar fuzzers do not make use of code coverage, i.e., they do not know whether any input triggers new functionality. In this paper, we propose NAUTILUS, a method to efficiently fuzz programs that require highly-structured inputs by combining the use of grammars with the use of code coverage feedback. This allows us to recombine aspects of interesting inputs, and to increase the probability that any generated input will be syntactically and semantically correct. We implemented a proofof-concept fuzzer that we tested on multiple targets, including ChakraCore (the JavaScript engine of Microsoft Edge), PHP, mruby, and Lua. NAUTILUS identified multiple bugs in all of the targets: Seven in mruby, three in PHP, two in ChakraCore, and one in Lua. Reporting these bugs was awarded with a sum of 2600 USD and 6 CVEs were assigned. Our experiments show that combining context-free grammars and feedback-driven fuzzing significantly outperforms state-of-the-art approaches like AFL by an order of magnitude and grammar fuzzers by more than a factor of two when measuring code coverage.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2019-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88220565","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Geo-locating Drivers: A Study of Sensitive Data Leakage in Ride-Hailing Services","authors":"Qingchuan Zhao, Chaoshun Zuo, Giancarlo Pellegrino, Zhiqiang Lin","doi":"10.14722/ndss.2019.23052","DOIUrl":"https://doi.org/10.14722/ndss.2019.23052","url":null,"abstract":"Increasingly, mobile application-based ride-hailing \u0000services have become a very popular means of transportation. \u0000Due to the handling of business logic, these services also contain \u0000a wealth of privacy-sensitive information such as GPS locations, \u0000car plates, driver licenses, and payment data. Unlike many of \u0000the mobile applications in which there is only one type of users, \u0000ride-hailing services face two types of users: riders and drivers. \u0000While most of the efforts had focused on the rider’s privacy, \u0000unfortunately, we notice little has been done to protect drivers. \u0000To raise the awareness of the privacy issues with drivers, in \u0000this paper we perform the first systematic study of the drivers’ \u0000sensitive data leakage in ride-hailing services. More specifically, \u0000we select 20 popular ride-hailing apps including Uber and Lyft \u0000and focus on one particular feature, namely the nearby cars \u0000feature. Surprisingly, our experimental results show that largescale \u0000data harvesting of drivers is possible for all of the ridehailing \u0000services we studied. In particular, attackers can determine \u0000with high-precision the driver’s privacy-sensitive information \u0000including mostly visited address (e.g., home) and daily driving behaviors. \u0000Meanwhile, attackers can also infer sensitive information \u0000about the business operations and performances of ride-hailing \u0000services such as the number of rides, utilization of cars, and \u0000presence on the territory. In addition to presenting the attacks, \u0000we also shed light on the countermeasures the service providers \u0000could take to protect the driver’s sensitive information.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2019-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74817156","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild","authors":"Marius Steffens, C. Rossow, Martin Johns, Ben Stock","doi":"10.14722/ndss.2019.23009","DOIUrl":"https://doi.org/10.14722/ndss.2019.23009","url":null,"abstract":"The Web has become highly interactive and an \u0000important driver for modern life, enabling information retrieval, \u0000social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious \u0000attacks against Web clients. Research has long since focused \u0000on three categories of XSS: Reflected, Persistent, and DOMbased XSS. In this paper, we argue that our community must \u0000consider at least four important classes of XSS, and present \u0000the first systematic study of the threat of Persistent Client-Side \u0000XSS, caused by the insecure use of client-side storage. While \u0000the existence of this class has been acknowledged, especially by \u0000the non-academic community like OWASP, prior works have \u0000either only found such flaws as side effects of other analyses or \u0000focused on a limited set of applications to analyze. Therefore, the \u0000community lacks in-depth knowledge about the actual prevalence \u0000of Persistent Client-Side XSS in the wild. \u0000To close this research gap, we leverage taint tracking to \u0000identify suspicious flows from client-side persistent storage (Web \u0000Storage, cookies) to dangerous sinks (HTML, JavaScript, and \u0000script.src). We discuss two attacker models capable of \u0000injecting malicious payloads into storage, i.e., a Network Attacker \u0000capable of temporarily hijacking HTTP communication (e.g., in \u0000a public WiFi), and a Web Attacker who can leverage flows into \u0000storage or an existing reflected XSS flaw to persist their payload. \u0000With our taint-aware browser and these models in mind, we \u0000study the prevalence of Persistent Client-Side XSS in the Alexa \u0000Top 5,000 domains. We find that more than 8% of them have \u0000unfiltered data flows from persistent storage to a dangerous sink, \u0000which showcases the developers’ inherent trust in the integrity \u0000of storage content. Even worse, if we only consider sites that \u0000make use of data originating from storage, 21% of the sites are \u0000vulnerable. For those sites with vulnerable flows from storage \u0000to sink, we find that at least 70% are directly exploitable by \u0000our attacker models. Finally, investigating the vulnerable flows \u0000originating from storage allows us to categorize them into four \u0000disjoint categories and propose appropriate mitigations.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2019-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91334728","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SANCTUARY: ARMing TrustZone with User-space Enclaves","authors":"Ferdinand Brasser, David Gens, Patrick Jauernig, A. Sadeghi, Emmanuel Stapf","doi":"10.14722/ndss.2019.23448","DOIUrl":"https://doi.org/10.14722/ndss.2019.23448","url":null,"abstract":"ARM TrustZone is one of the most widely deployed security architecture providing Trusted Execution Environments (TEEs). Unfortunately, its usage and potential benefits for application developers and end users are largely limited due to restricted deployment policies imposed by device vendors. Restriction is enforced since every Trusted App (TA) increases the TEE’s attack surface: any vulnerable or malicious TA can compromise the system’s security. Hence, deploying a TA requires mutual trust between device vendor and application developer, incurring high costs for both. Vendors work around this by offering interfaces to selected TEE functionalities, however, these are not sufficient to securely implement advanced mobile services like banking. Extensive discussion of Intel’s SGX technology in academia and industry has unveiled the demand for an unrestricted use of TEEs, yet no comparable security architecture for mobile devices exists to this day. We propose SANCTUARY, the first security architecture which allows unconstrained use of TEEs in the TrustZone ecosystem without relying on virtualization. SANCTUARY enables execution of security-sensitive apps within strongly isolated compartments in TrustZone’s normal world comparable to SGX’s user-space enclaves. In particular, we leverage TrustZone’s versatile AddressSpace Controller available in current ARM System-on-Chip reference designs, to enforce two-way hardware-level isolation: (i) security-sensitive apps are shielded against a compromised normal-world OS, while (ii) the system is also protected from potentially malicious apps in isolated compartments. Moreover, moving security-sensitive apps from the TrustZone’s secure world to isolated compartments minimizes the TEE’s attack surface. Thus, mutual trust relationships between device vendors and developers become obsolete: the full potential of TEEs can be leveraged. We demonstrate practicality and real-world benefits of SANCTUARY by thoroughly evaluating our prototype on a HiKey 960 development board with microbenchmarks and a use case for one-time password generation in two-factor authentication.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2019-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86699052","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"TIMBER-V: Tag-Isolated Memory Bringing Fine-grained Enclaves to RISC-V","authors":"Samuel Weiser, M. Werner, Ferdinand Brasser, Maja Malenko, S. Mangard, A. Sadeghi","doi":"10.14722/NDSS.2019.23068","DOIUrl":"https://doi.org/10.14722/NDSS.2019.23068","url":null,"abstract":"Embedded computing devices are used on a large scale in the emerging internet of things (IoT). However, their wide deployment raises the incentive for attackers to target these devices, as demonstrated by several recent attacks. As IoT devices are built for long service life, means are required to protect sensitive code in the presence of potential vulnerabilities, which might be discovered long after deployment. Tagged memory has been proposed as a mechanism to enforce various fine-grained security policies at runtime. However, none of the existing tagged memory schemes provides efficient and flexible compartmentalization in terms of isolated execution environments. We present TIMBER-V, a new tagged memory architecture featuring flexible and efficient isolation of code and data on small embedded systems. We overcome several limitations of previous schemes. We augment tag isolation with a memory protection unit to isolate individual processes, while maintaining low memory overhead. TIMBER-V significantly reduces the problem of memory fragmentation, and improves dynamic reuse of untrusted memory across security boundaries. TIMBER-V enables novel sharing of execution stacks across different security domains, in addition to interleaved heaps. TIMBER-V is compatible to existing code, supports real-time constraints and is open source. We show the efficiency of TIMBER-V by evaluating our proofof-concept implementation on the RISC-V simulator.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2019-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73285928","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"DIAT: Data Integrity Attestation for Resilient Collaboration of Autonomous Systems","authors":"Tigist Abera, Raad Bahmani, Ferdinand Brasser, Ahmad Ibrahim, A. Sadeghi, M. Schunter","doi":"10.14722/ndss.2019.23420","DOIUrl":"https://doi.org/10.14722/ndss.2019.23420","url":null,"abstract":"Networks of autonomous collaborative embedded systems are emerging in many application domains such as vehicular ad-hoc networks, robotic factory workers, search/rescue robots, delivery and search drones. To perform their collaborative tasks the involved devices exchange various types of information such as sensor data, status information, and commands. For the correct operation of these complex systems each device must be able to verify that the data coming from other devices is correct and has not been maliciously altered. In this paper, we present DIAT – a novel approach that allows to verify the correctness of data by attesting the correct generation as well as processing of data using control-flow attestation. DIAT enables devices in autonomous collaborative networks to securely and efficiently interact, relying on a minimal TCB. It ensures that the data sent from one device to another device is not maliciously changed, neither during transport nor during generation or processing on the originating device. Data exchanged between devices in the network is therefore authenticated along with a proof of integrity of all software involved in its generation and processing. To enable this, the embedded devices’ software is decomposed into simple interacting modules reducing the amount and complexity of software that needs to be attested, i.e., only those modules that process the data are relevant. As a proof of concept we implemented and evaluated our scheme DIAT on a state-of-the-art flight controller for drones. Furthermore, we evaluated our scheme in a simulation environment to demonstrate its scalability for large-scale systems.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2019-01-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91150279","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"RFDIDS: Radio Frequency-based Distributed Intrusion Detection System for the Power Grid","authors":"Tohid Shekari, C. Bayens, Morris Cohen, L. Graber, R. Beyah","doi":"10.14722/ndss.2019.23462","DOIUrl":"https://doi.org/10.14722/ndss.2019.23462","url":null,"abstract":"","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2019-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82633843","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}