Kuniyasu Suzaki
k.suz****@aist*****
2010年 1月 5日 (火) 10:44:00 JST
須崎です。こちらのMLでも興味があると思いますので流します。 NDSS (Network and Distributed Systems Security Symposium) 2010 のプログ ラムが公開されています。 http://www.isoc.org/isoc/conferences/ndss/10/program.shtml Feb 28-Mar 3, San Diego, CA USENIX Security 09 で Outstanding Student Paper だった Vanish の Sybil Attack 攻撃が論文なっている。対応がはやい。 ---------------------------------------------------------------------- Session 1: Distributed Systems and Networks Server-side Verification of Client Behavior in Online Games Darrell Bethea, Robert Cochran and Michael Reiter Online gaming is a lucrative industry, but one that is slowed by cheating that compromises the gaming experience and hence drives away players (and revenues). This paper develops a technique by which game developers can enable game operators to validate the behavior of game clients as being consistent with valid execution of the sanctioned client software. The paper demonstrates its approach in two case studies: one of the open-source game XPilot, and one of a multiplayer game similar to Pac-Man. Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs Scott Wolchok, Owen S. Hofmann, Nadia Heninger, Edward W. Felten, J. Alex Halderman, Christopher J. Rossbach, Brent Waters, and Emmett Witchel We examine the security of Vanish, a recent proposal for creating "self-destructing" data. Vanish works by encrypting messages and scattering the keys in a million-node DHT, where they remain accessible for only a few hours. We show that an attacker can defeat Vanish by conducting a large Sybil attack against the DHT and recording every value before it ages out. Optimizations allow the attacker to reduce the cost by more than two orders of magnitude from the Vanish authors' projections. Stealth DoS Attacks on Secure Channels Amir Herzberg and Haya Shulman Can security mechanisms in IP layer, protect TCP from denial/degradation (DoS) of service attacks, by a stealth adversary, who can eavesdrop and inject (few) packets? We present such attacks on IPsec without anti-replay window, and on IPsec with small anti-replay window. We subsequently show how to calculate correct size of anti-replay window. Then, we present a (slightly more elaborate) attack that works for any size window. Finally we propose modifications to IPsec gateway, that defend against the stealth DoS attacks. Session 2: Web Security and Privacy Protecting Browsers from Extension Vulnerabilities Adam Barth, Adrienne Porter Felt, Prateek Saxena, and Aaron Boodman Buggy browser extensions can be exploited by malicious web site operators. In Firefox, these exploits are dangerous because extensions run with the user's full privileges, including local system access. We analyze 25 popular Firefox extensions and find that 88% need less than the full set of privileges. We propose a new browser extension platform based on least privilege, privilege separation, and strong isolation. Our design has been adopted as the Google Chrome extension system. Adnostic: Privacy Preserving Targeted Advertising Vincent Toubiana, Arvind Narayanan, Dan Boneh, Helen Nissenbaum and Solon Barocas Adnostic is a practical architecture and prototype implementation that enables targeted advertising without compromising user privacy. Behavioral profiling and targeting in Adnostic takes place in the browser while the ad network remains agnostic to the user's interests. Our paper discusses the effectiveness of the system as well as potential social engineering and web-based attacks on the architecture. We also describe a cryptographic billing system that lets ad networks bill the correct advertiser without knowing which ad was displayed to the user. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications Prateek Saxena, Steve Hanna, Pongsin Poosankam and Dawn Song Much of the prior research on web application vulnerabilities has focused on server-side vulnerabilities. This paper highlights a new class of vulnerabilities, which we term client-side validation (or CSV) vulnerabilities, that arise due to improper validation in client-side JavaScript code and can result in a broad spectrum of attacks. We propose a new dynamic analysis technique to systematically discover this class of vulnerabilities that is light-weight, efficient and has no false positives. We implement our approach in a tool called FLAX. In our evaluation on live web applications, FLAX has found numerous CSV vulnerabilities in the wild, demonstrating both its practical scalability and the prevalence of this class of vulnerabilities in real-world applications. Session 3: Intrusion Detection and Attack Analysis Effective Anomaly Detection with Scarce Training Data William Robertson, Federico Maggi, Christopher Kruegel and Giovanni Vigna Learning-based anomaly detection has proven to be an effective black-box technique for detecting unknown attacks. However, the technique crucially depends upon both the quality and the completeness of the training data, both of which are routinely lacking in real-world settings. In this work, we present an approach for remediating a local scarcity of training data by automatically leveraging similar, well-trained models from other sites. We experimentally demonstrate the efficacy of the approach in the context of web application anomaly detection over a data set of more than 58 million HTTP requests. Large-Scale Automatic Classification of Phishing Pages Colin Whittaker, Brian Ryner and Marria Nazif We present the design and performance characteristics of a scalable machine learning classifier that detects phishing websites. We use this classifier to maintain Google's phishing blacklist automatically, analyzing millions of potentially phishing pages every day. To train our classifier, we use a dataset consisting of millions of samples from previously classified pages labeled according to our published blacklist. Despite noise in the training labels, our classifier learns a robust model for identifying phishing pages which correctly classifies more than 90% of phishing pages several weeks after training concludes. A Systematic Characterization of IM Threats using Honeypots Iasonas Polakis, Thanasis Petsas, Evangelos P. Markatos and Spiros Antonatos The popularity of instant messaging (IM) services has recently attracted the interest of attackers that send malicious URLs or files to the contact lists of compromised instant messaging accounts or clients. This work aims to provide a systematic characterization of IM threats based on the information collected by HoneyBuddy, a honeypot-like infrastructure for detecting malicious activities in IM networks. We also deploy the prototype implementation of our myMSNhoneypot service, an early detection service that can inform users if their accounts or IM clients have been compromised. Session 4: Spam On Network-level Clusters for Spam Detection Zhiyun Qian, Zhuoqing Mao, Yinglian Xie and Fang Yu Researchers have already recognized the need to identify IP clusters instead of focusing on individual IP addresses to construct blacklists for detecting spam. In this paper, building on BGP clusters, we propose a significantly improved clustering approach integrating both network origin and DNS information. False negative rate can be reduced by 30% - 50% using 7 month traces compared to directly applying various public IP-based blacklists and SpamAssassin without affecting false positive rate. Improving Spam Blacklisting Through Dynamic Thresholding and Speculative Aggregation Sushant Sinha, Michael Bailey and Farnam Jahanian Spam constitutes a significant fraction of all e-mail connection attempts and routinely frustrates users, consumes resources, and serves as an infection vector for malicious software. In an effort to reduce the impact of these e-mails, operators have increasingly turned to course-grained, reputation-based, dynamic policy enforcement, or blacklisting. While scalable, blacklisting exhibits both false positives and false negatives. In this paper, we argue that blacklists should be tailored and present two techniques that leverage local perspectives to significantly improve blacklist accuracy. Botnet Judo: Fighting Spam with Itself Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage Judo is a system for better filtering spam by exploiting the vantage point of the spammer. By instantiating and monitoring botnet hosts in a controlled environment, we are able to monitor new spam as it is created, and consequently infer the underlying template used to generate polymorphic e-mail messages. We demonstrate this approach on mail traces from a range of modern botnets and show that we can automatically filter such spam precisely and with virtually no false positives. Session 5: Anonymity and Cryptographic Systems Contractual Anonymity Edward J. Schwartz, David Brumley and Jonathan M. McCune We propose, develop, and implement techniques for achieving contractual anonymity. In contractual anonymity, a user and service provider enter into an anonymity contract. The user is guaranteed anonymity and message unlinkability from the contractual anonymity system unless she breaks the contract. The service provider is guaranteed that it can identify users who break the contract. Our system can enforce many types of contract policies, is efficient, and has a small trusted computing base. A3: An Extensible Platform for Application-Aware Anonymity Micah Sherr, Andrew Mao, William R. Marczak, Wenchao Zhou and Boon Thau Loo This paper presents the design and implementation of Application-Aware Anonymity (A3), an extensible platform for deploying anonymity-based services on the Internet. A3 allows applications to tailor their anonymity and performance properties according to their communication requirements. To support flexible path construction, A3 exposes a declarative language (A3Log) that enables applications to compactly specify path selection and instantiation policies. A3Log is sufficiently versatile to represent novel multi-metric performance constraints as well as existing relay selection algorithms. When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography Thomas Ristenpart and Scott Yilek Random number generators (RNGs) are consistently a weak link in the secure use of cryptography. Routine cryptographic operations such as encryption and signing can fail spectacularly given predictable or repeated randomness, even when using good long-lived key material. This has proved problematic in prior settings when RNG implementation bugs, poor design, or low-entropy sources have resulted in predictable randomness. We investigate a new way in which RNGs fail due to reuse of virtual machine (VM) snapshots. We exhibit such VM reset vulnerabilities in widely-used TLS clients and servers: the attacker takes advantage of (or forces) snapshot replay to compromise sessions or even expose a server's DSA signing key. Our next contribution is a backwards-compatible framework for hedging routine cryptographic operations against bad randomness, thereby mitigating the damage due to randomness failures. We apply our framework to the OpenSSL library and experimentally confirm that it has little overhead. Session 6: Security Protocols and Policies InvisiType: Object-Oriented Security Policies Jiwon Seo and Monica S. Lam This paper proposes InvisiType, an object-oriented approach that enables platform developers to enforce safety checks on third-party extensions without requiring their cooperation. Developers encapsulate safety checks in an InvisiType policy class and selectively subjects objects at risk to these policies. The run-time enforces these policies by changing the types of these objects dynamically. Our InvisiType policies successfully found 19 cross-site scripting vulnerabilities and 6 access control errors in total. The runtime overhead is small, indicating that the technique is practical. A Security Evaluation of DNSSEC with NSEC3 Jason Bau and John Mitchell This paper studies the goals and operations of DNSSEC/NSEC3 and uses Murphi, a finite-state enumeration tool, to check its security properties in presence of a network attacker model. We uncover several weaknesses in DNSSEC, including incorrect dependencies in the signature chain and NSEC3 options that allow forged name insertion into a domain. We then confirm the exploitability of the NSEC3 vulnerability in a realistic laboratory DNSSEC domain. We finally offer implementation and configuration advice minimizing exploitability of the uncovered vulnerabilities. On the Safety of Enterprise Policy Deployment Yudong Gao, Ni Pan, Xu Chen and Z. Morley Mao We present the first work to address the security issues of enterprise policy deployment, an under-studied procedure that leaves security vulnerabilities if not carefully designed. We formally define insecure states during policy deployments and demonstrate their security implications with real examples. We further propose an efficient algorithm to generate deployment procedures that are free of insecure states, and implement it on Group Policy framework requiring no infrastructure modification. We show that our algorithm adds minimal overhead while provably eliminating insecure intermediate states. Session 7: Languages and Systems Security Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation Suresh Chari, Shai Halevi and Wietse Venema We analyze filename-based privilege escalation attacks, where victim programs are "tricked" into opening unintended files. Solutions to this problem nowadays are built into some applications, but we show that it can be solved in the file system itself (or a library), thus providing protection to all applications. Our solution build on a new name-resolution procedure, ensuring that files in "safe directories" cannot be opened using an "unsafe pathname". Comprehensive tests on several UNIX variants confirm that this solution is viable. Joe-E: A Security-Oriented Subset of Java Adrian Mettler, David Wagner and Tyler Close Joe-E is a subset of Java that makes it easier to architect and implement programs with strong security properties that can be checked during a security review. It enables programmers to apply the principle of least privilege to their programs; implement application-specific reference monitors that cannot be bypassed; introduce and use domain-specific security abstractions; safely execute and interact with untrusted code; and build secure, extensible systems. Joe-E provides object-capability security while retaining the features and feel of a mainstream language. Preventing Capability Leaks in Secure JavaScript Subsets Matthew Finifter, Joel Weinberger and Adam Barth To protect themselves from malicious web advertisements, publishers wish to sandbox ads. One popular approach is to statically verify that the ads conform to a "safe" subset of JavaScript that blacklists known-dangerous properties. We show this approach is insufficient because the ads can abuse new methods defined by the hosting page. We propose an improved subset based on whitelisting known-safe properties using namespaces. Session 8: Malware Binary Code Extraction and Interface Identification for Security Applications Juan Caballero, Noah M. Johnson, Stephen McCamant, and Dawn Song In this paper we conduct the first systematic study of binary code reuse, the process of automatically identifying the interface and extracting the instructions and data dependencies of a code fragment from the program's binary, so that it is self-contained and can be reused by external code. We propose a novel technique to identify the prototype of an undocumented code fragment directly from the program's binary, and use a combination of dynamic and static analysis to extract the code. Automatic Reverse Engineering of Data Structures from Binary Execution Zhiqiang Lin, Xiangyu Zhang and Dongyan Xu In many security and forensics applications, it is desirable to uncover data structures in a binary program with their syntactic and semantic definitions. We present REWARDS, a reverse engineering technique that automatically reveals such information via dynamic analysis. By performing runtime data flow tracking, REWARDS identifies variables and resolves variable types based on type-revealing execution points encountered during execution. We demonstrate that REWARDS provides unique benefits to two applications: memory image forensics and binary fuzzing for vulnerability discovery. Efficient Detection of Split Personalities in Malware Davide Balzarotti, Marco Cova, Christoph Karlberger, Engin Kirda, Christopher Kruegel and Giovanni Vigna A current challenge in malware analysis is detecting split-personality malware, i.e., malicious programs that, when run in an emulated or virtualized analysis environment, behave differently than on a real system. We developed a novel approach to detect such malware by first recording the malware's interaction with the operating system on an uninstrumented reference host and then leveraging the collected information to deterministically re-execute the program in a virtualized environment. If the malware's behavior is different, we conclude that the program has a split personality. ------ suzaki
