Pub Date : 2019-02-24DOI: 10.14722/ndss.2019.23402
K. Kohls, K. Jansen, David Rupprecht, Thorsten Holz, C. Pöpper
Traffic-analysis attacks are a persisting threat for Tor users. When censors or law enforcement agencies try to identify users, they conduct traffic-confirmation attacks and monitor encrypted transmissions to extract metadata—in combination with routing attacks, these attacks become sufficiently powerful to de-anonymize users. While traffic-analysis attacks are hard to detect and expensive to counter in practice, geographical avoidance provides an option to reject circuits that might be routed through an untrusted area. Unfortunately, recently proposed solutions introduce severe security issues by imprudent design decisions. In this paper, we approach geographical avoidance starting from a thorough assessment of its challenges. These challenges serve as the foundation for the design of an empirical avoidance concept that considers actual transmission characteristics for justified decisions. Furthermore, we address the problems of untrusted or intransparent ground truth information that hinder a reliable assessment of circuits. Taking these features into account, we conduct an empirical simulation study and compare the performance of our novel avoidance concept with existing approaches. Our results show that we outperform existing systems by 22% fewer rejected circuits, which reduces the collateral damage of overly restrictive avoidance decisions. In a second evaluation step, we extend our initial system concept and implement the prototype TrilateraTor. This prototype is the first to satisfy the requirements of a practical deployment, as it maintains Tor’s original level of security, provides reasonable performance, and overcomes the fundamental security flaws of existing systems.
{"title":"On the Challenges of Geographical Avoidance for Tor","authors":"K. Kohls, K. Jansen, David Rupprecht, Thorsten Holz, C. Pöpper","doi":"10.14722/ndss.2019.23402","DOIUrl":"https://doi.org/10.14722/ndss.2019.23402","url":null,"abstract":"Traffic-analysis attacks are a persisting threat for Tor users. When censors or law enforcement agencies try to identify users, they conduct traffic-confirmation attacks and monitor encrypted transmissions to extract metadata—in combination with routing attacks, these attacks become sufficiently powerful to de-anonymize users. While traffic-analysis attacks are hard to detect and expensive to counter in practice, geographical avoidance provides an option to reject circuits that might be routed through an untrusted area. Unfortunately, recently proposed solutions introduce severe security issues by imprudent design decisions. In this paper, we approach geographical avoidance starting from a thorough assessment of its challenges. These challenges serve as the foundation for the design of an empirical avoidance concept that considers actual transmission characteristics for justified decisions. Furthermore, we address the problems of untrusted or intransparent ground truth information that hinder a reliable assessment of circuits. Taking these features into account, we conduct an empirical simulation study and compare the performance of our novel avoidance concept with existing approaches. Our results show that we outperform existing systems by 22% fewer rejected circuits, which reduces the collateral damage of overly restrictive avoidance decisions. In a second evaluation step, we extend our initial system concept and implement the prototype TrilateraTor. This prototype is the first to satisfy the requirements of a practical deployment, as it maintains Tor’s original level of security, provides reasonable performance, and overcomes the fundamental security flaws of existing systems.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":"75 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-02-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74498944","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-02-24DOI: 10.14722/NDSS.2019.23280
Athanasios Andreou, Márcio Silva, Fabrício Benevenuto, Oana Goga, P. Loiseau, A. Mislove
The Facebook advertising platform has been subject to a number of controversies in the past years regarding privacy violations, lack of transparency, as well as its capacity to be used by dishonest actors for discrimination or propaganda. In this study, we aim to provide a better understanding of the Facebook advertising ecosystem, focusing on how it is being used by advertisers. We first analyze the set of advertisers and then investigate how those advertisers are targeting users and customizing ads via the platform. Our analysis is based on the data we collected from over 600 real-world users via a browser extension that collects the ads our users receive when they browse their Facebook timeline, as well as the explanations for why users received these ads. Our results reveal that users are targeted by a wide range of advertisers (e.g., from popular to niche advertisers); that a non-negligible fraction of advertisers are part of potentially sensitive categories such as news and politics, health or religion; that a significant number of advertisers employ targeting strategies that could be either invasive or opaque; and that many advertisers use a variety of targeting parameters and ad texts. Overall, our work emphasizes the need for better mechanisms to audit ads and advertisers in social media and provides an overview of the platform usage that can help move towards such mechanisms.
{"title":"Measuring the Facebook Advertising Ecosystem","authors":"Athanasios Andreou, Márcio Silva, Fabrício Benevenuto, Oana Goga, P. Loiseau, A. Mislove","doi":"10.14722/NDSS.2019.23280","DOIUrl":"https://doi.org/10.14722/NDSS.2019.23280","url":null,"abstract":"The Facebook advertising platform has been subject to a number of controversies in the past years regarding privacy violations, lack of transparency, as well as its capacity to be used by dishonest actors for discrimination or propaganda. In this study, we aim to provide a better understanding of the Facebook advertising ecosystem, focusing on how it is being used by advertisers. We first analyze the set of advertisers and then investigate how those advertisers are targeting users and customizing ads via the platform. Our analysis is based on the data we collected from over 600 real-world users via a browser extension that collects the ads our users receive when they browse their Facebook timeline, as well as the explanations for why users received these ads. Our results reveal that users are targeted by a wide range of advertisers (e.g., from popular to niche advertisers); that a non-negligible fraction of advertisers are part of potentially sensitive categories such as news and politics, health or religion; that a significant number of advertisers employ targeting strategies that could be either invasive or opaque; and that many advertisers use a variety of targeting parameters and ad texts. Overall, our work emphasizes the need for better mechanisms to audit ads and advertisers in social media and provides an overview of the platform usage that can help move towards such mechanisms.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":"1 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-02-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78976551","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-02-01DOI: 10.14722/ndss.2019.23412
Cornelius Aschermann, Tommaso Frassetto, Thorsten Holz, Patrick Jauernig, A. Sadeghi, D. Teuchert
Fuzz testing is a well-known method for efficiently identifying bugs in programs. Unfortunately, when programs that require highly-structured inputs such as interpreters are fuzzed, many fuzzing methods struggle to pass the syntax checks: interpreters often process inputs in multiple stages, first syntactic and then semantic correctness is checked. Only if both checks are passed, the interpreted code gets executed. This prevents fuzzers from executing “deeper” — and hence potentially more interesting — code. Typically, two valid inputs that lead to the execution of different features in the target program require too many mutations for simple mutation-based fuzzers to discover: making small changes like bit flips usually only leads to the execution of error paths in the parsing engine. So-called grammar fuzzers are able to pass the syntax checks by using ContextFree Grammars. Feedback can significantly increase the efficiency of fuzzing engines and is commonly used in state-of-the-art mutational fuzzers which do not use grammars. Yet, current grammar fuzzers do not make use of code coverage, i.e., they do not know whether any input triggers new functionality. In this paper, we propose NAUTILUS, a method to efficiently fuzz programs that require highly-structured inputs by combining the use of grammars with the use of code coverage feedback. This allows us to recombine aspects of interesting inputs, and to increase the probability that any generated input will be syntactically and semantically correct. We implemented a proofof-concept fuzzer that we tested on multiple targets, including ChakraCore (the JavaScript engine of Microsoft Edge), PHP, mruby, and Lua. NAUTILUS identified multiple bugs in all of the targets: Seven in mruby, three in PHP, two in ChakraCore, and one in Lua. Reporting these bugs was awarded with a sum of 2600 USD and 6 CVEs were assigned. Our experiments show that combining context-free grammars and feedback-driven fuzzing significantly outperforms state-of-the-art approaches like AFL by an order of magnitude and grammar fuzzers by more than a factor of two when measuring code coverage.
{"title":"NAUTILUS: Fishing for Deep Bugs with Grammars","authors":"Cornelius Aschermann, Tommaso Frassetto, Thorsten Holz, Patrick Jauernig, A. Sadeghi, D. Teuchert","doi":"10.14722/ndss.2019.23412","DOIUrl":"https://doi.org/10.14722/ndss.2019.23412","url":null,"abstract":"Fuzz testing is a well-known method for efficiently identifying bugs in programs. Unfortunately, when programs that require highly-structured inputs such as interpreters are fuzzed, many fuzzing methods struggle to pass the syntax checks: interpreters often process inputs in multiple stages, first syntactic and then semantic correctness is checked. Only if both checks are passed, the interpreted code gets executed. This prevents fuzzers from executing “deeper” — and hence potentially more interesting — code. Typically, two valid inputs that lead to the execution of different features in the target program require too many mutations for simple mutation-based fuzzers to discover: making small changes like bit flips usually only leads to the execution of error paths in the parsing engine. So-called grammar fuzzers are able to pass the syntax checks by using ContextFree Grammars. Feedback can significantly increase the efficiency of fuzzing engines and is commonly used in state-of-the-art mutational fuzzers which do not use grammars. Yet, current grammar fuzzers do not make use of code coverage, i.e., they do not know whether any input triggers new functionality. In this paper, we propose NAUTILUS, a method to efficiently fuzz programs that require highly-structured inputs by combining the use of grammars with the use of code coverage feedback. This allows us to recombine aspects of interesting inputs, and to increase the probability that any generated input will be syntactically and semantically correct. We implemented a proofof-concept fuzzer that we tested on multiple targets, including ChakraCore (the JavaScript engine of Microsoft Edge), PHP, mruby, and Lua. NAUTILUS identified multiple bugs in all of the targets: Seven in mruby, three in PHP, two in ChakraCore, and one in Lua. Reporting these bugs was awarded with a sum of 2600 USD and 6 CVEs were assigned. Our experiments show that combining context-free grammars and feedback-driven fuzzing significantly outperforms state-of-the-art approaches like AFL by an order of magnitude and grammar fuzzers by more than a factor of two when measuring code coverage.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":"7 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88220565","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-02-01DOI: 10.14722/ndss.2019.23052
Qingchuan Zhao, Chaoshun Zuo, Giancarlo Pellegrino, Zhiqiang Lin
Increasingly, mobile application-based ride-hailing �services have become a very popular means of transportation. �Due to the handling of business logic, these services also contain �a wealth of privacy-sensitive information such as GPS locations, �car plates, driver licenses, and payment data. Unlike many of �the mobile applications in which there is only one type of users, �ride-hailing services face two types of users: riders and drivers. �While most of the efforts had focused on the rider’s privacy, �unfortunately, we notice little has been done to protect drivers. �To raise the awareness of the privacy issues with drivers, in �this paper we perform the first systematic study of the drivers’ �sensitive data leakage in ride-hailing services. More specifically, �we select 20 popular ride-hailing apps including Uber and Lyft �and focus on one particular feature, namely the nearby cars �feature. Surprisingly, our experimental results show that largescale �data harvesting of drivers is possible for all of the ridehailing �services we studied. In particular, attackers can determine �with high-precision the driver’s privacy-sensitive information �including mostly visited address (e.g., home) and daily driving behaviors. �Meanwhile, attackers can also infer sensitive information �about the business operations and performances of ride-hailing �services such as the number of rides, utilization of cars, and �presence on the territory. In addition to presenting the attacks, �we also shed light on the countermeasures the service providers �could take to protect the driver’s sensitive information.
{"title":"Geo-locating Drivers: A Study of Sensitive Data Leakage in Ride-Hailing Services","authors":"Qingchuan Zhao, Chaoshun Zuo, Giancarlo Pellegrino, Zhiqiang Lin","doi":"10.14722/ndss.2019.23052","DOIUrl":"https://doi.org/10.14722/ndss.2019.23052","url":null,"abstract":"Increasingly, mobile application-based ride-hailing \u0000services have become a very popular means of transportation. \u0000Due to the handling of business logic, these services also contain \u0000a wealth of privacy-sensitive information such as GPS locations, \u0000car plates, driver licenses, and payment data. Unlike many of \u0000the mobile applications in which there is only one type of users, \u0000ride-hailing services face two types of users: riders and drivers. \u0000While most of the efforts had focused on the rider’s privacy, \u0000unfortunately, we notice little has been done to protect drivers. \u0000To raise the awareness of the privacy issues with drivers, in \u0000this paper we perform the first systematic study of the drivers’ \u0000sensitive data leakage in ride-hailing services. More specifically, \u0000we select 20 popular ride-hailing apps including Uber and Lyft \u0000and focus on one particular feature, namely the nearby cars \u0000feature. Surprisingly, our experimental results show that largescale \u0000data harvesting of drivers is possible for all of the ridehailing \u0000services we studied. In particular, attackers can determine \u0000with high-precision the driver’s privacy-sensitive information \u0000including mostly visited address (e.g., home) and daily driving behaviors. \u0000Meanwhile, attackers can also infer sensitive information \u0000about the business operations and performances of ride-hailing \u0000services such as the number of rides, utilization of cars, and \u0000presence on the territory. In addition to presenting the attacks, \u0000we also shed light on the countermeasures the service providers \u0000could take to protect the driver’s sensitive information.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":"11 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74817156","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-02-01DOI: 10.14722/ndss.2019.23009
Marius Steffens, C. Rossow, Martin Johns, Ben Stock
The Web has become highly interactive and an �important driver for modern life, enabling information retrieval, �social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious �attacks against Web clients. Research has long since focused �on three categories of XSS: Reflected, Persistent, and DOMbased XSS. In this paper, we argue that our community must �consider at least four important classes of XSS, and present �the first systematic study of the threat of Persistent Client-Side �XSS, caused by the insecure use of client-side storage. While �the existence of this class has been acknowledged, especially by �the non-academic community like OWASP, prior works have �either only found such flaws as side effects of other analyses or �focused on a limited set of applications to analyze. Therefore, the �community lacks in-depth knowledge about the actual prevalence �of Persistent Client-Side XSS in the wild. �To close this research gap, we leverage taint tracking to �identify suspicious flows from client-side persistent storage (Web �Storage, cookies) to dangerous sinks (HTML, JavaScript, and �script.src). We discuss two attacker models capable of �injecting malicious payloads into storage, i.e., a Network Attacker �capable of temporarily hijacking HTTP communication (e.g., in �a public WiFi), and a Web Attacker who can leverage flows into �storage or an existing reflected XSS flaw to persist their payload. �With our taint-aware browser and these models in mind, we �study the prevalence of Persistent Client-Side XSS in the Alexa �Top 5,000 domains. We find that more than 8% of them have �unfiltered data flows from persistent storage to a dangerous sink, �which showcases the developers’ inherent trust in the integrity �of storage content. Even worse, if we only consider sites that �make use of data originating from storage, 21% of the sites are �vulnerable. For those sites with vulnerable flows from storage �to sink, we find that at least 70% are directly exploitable by �our attacker models. Finally, investigating the vulnerable flows �originating from storage allows us to categorize them into four �disjoint categories and propose appropriate mitigations.
{"title":"Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild","authors":"Marius Steffens, C. Rossow, Martin Johns, Ben Stock","doi":"10.14722/ndss.2019.23009","DOIUrl":"https://doi.org/10.14722/ndss.2019.23009","url":null,"abstract":"The Web has become highly interactive and an \u0000important driver for modern life, enabling information retrieval, \u0000social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious \u0000attacks against Web clients. Research has long since focused \u0000on three categories of XSS: Reflected, Persistent, and DOMbased XSS. In this paper, we argue that our community must \u0000consider at least four important classes of XSS, and present \u0000the first systematic study of the threat of Persistent Client-Side \u0000XSS, caused by the insecure use of client-side storage. While \u0000the existence of this class has been acknowledged, especially by \u0000the non-academic community like OWASP, prior works have \u0000either only found such flaws as side effects of other analyses or \u0000focused on a limited set of applications to analyze. Therefore, the \u0000community lacks in-depth knowledge about the actual prevalence \u0000of Persistent Client-Side XSS in the wild. \u0000To close this research gap, we leverage taint tracking to \u0000identify suspicious flows from client-side persistent storage (Web \u0000Storage, cookies) to dangerous sinks (HTML, JavaScript, and \u0000script.src). We discuss two attacker models capable of \u0000injecting malicious payloads into storage, i.e., a Network Attacker \u0000capable of temporarily hijacking HTTP communication (e.g., in \u0000a public WiFi), and a Web Attacker who can leverage flows into \u0000storage or an existing reflected XSS flaw to persist their payload. \u0000With our taint-aware browser and these models in mind, we \u0000study the prevalence of Persistent Client-Side XSS in the Alexa \u0000Top 5,000 domains. We find that more than 8% of them have \u0000unfiltered data flows from persistent storage to a dangerous sink, \u0000which showcases the developers’ inherent trust in the integrity \u0000of storage content. Even worse, if we only consider sites that \u0000make use of data originating from storage, 21% of the sites are \u0000vulnerable. For those sites with vulnerable flows from storage \u0000to sink, we find that at least 70% are directly exploitable by \u0000our attacker models. Finally, investigating the vulnerable flows \u0000originating from storage allows us to categorize them into four \u0000disjoint categories and propose appropriate mitigations.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":"87 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91334728","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-02-01DOI: 10.14722/ndss.2019.23448
Ferdinand Brasser, David Gens, Patrick Jauernig, A. Sadeghi, Emmanuel Stapf
ARM TrustZone is one of the most widely deployed security architecture providing Trusted Execution Environments (TEEs). Unfortunately, its usage and potential benefits for application developers and end users are largely limited due to restricted deployment policies imposed by device vendors. Restriction is enforced since every Trusted App (TA) increases the TEE’s attack surface: any vulnerable or malicious TA can compromise the system’s security. Hence, deploying a TA requires mutual trust between device vendor and application developer, incurring high costs for both. Vendors work around this by offering interfaces to selected TEE functionalities, however, these are not sufficient to securely implement advanced mobile services like banking. Extensive discussion of Intel’s SGX technology in academia and industry has unveiled the demand for an unrestricted use of TEEs, yet no comparable security architecture for mobile devices exists to this day. We propose SANCTUARY, the first security architecture which allows unconstrained use of TEEs in the TrustZone ecosystem without relying on virtualization. SANCTUARY enables execution of security-sensitive apps within strongly isolated compartments in TrustZone’s normal world comparable to SGX’s user-space enclaves. In particular, we leverage TrustZone’s versatile AddressSpace Controller available in current ARM System-on-Chip reference designs, to enforce two-way hardware-level isolation: (i) security-sensitive apps are shielded against a compromised normal-world OS, while (ii) the system is also protected from potentially malicious apps in isolated compartments. Moreover, moving security-sensitive apps from the TrustZone’s secure world to isolated compartments minimizes the TEE’s attack surface. Thus, mutual trust relationships between device vendors and developers become obsolete: the full potential of TEEs can be leveraged. We demonstrate practicality and real-world benefits of SANCTUARY by thoroughly evaluating our prototype on a HiKey 960 development board with microbenchmarks and a use case for one-time password generation in two-factor authentication.
ARM TrustZone是提供可信执行环境(tee)的最广泛部署的安全架构之一。不幸的是,由于设备供应商强加的限制部署策略,它的使用和对应用程序开发人员和最终用户的潜在好处在很大程度上受到限制。由于每个受信任的应用程序(TA)都增加了TEE的攻击面,因此实施了限制:任何易受攻击或恶意的TA都可能危及系统的安全性。因此,部署TA需要设备供应商和应用程序开发人员之间的相互信任,这为双方都带来了高昂的成本。供应商通过提供选定TEE功能的接口来解决这个问题,然而,这些还不足以安全地实现像银行这样的高级移动服务。学术界和工业界对英特尔SGX技术的广泛讨论揭示了对tee无限制使用的需求,但迄今为止还没有针对移动设备的类似安全架构。我们提出了SANCTUARY,这是第一个允许在TrustZone生态系统中不依赖虚拟化而不受约束地使用tee的安全架构。SANCTUARY使安全敏感的应用程序能够在TrustZone的正常世界中与SGX的用户空间飞地相媲美的高度隔离的隔间内执行。特别是,我们利用TrustZone的通用AddressSpace控制器在当前的ARM片上系统参考设计中可用,以强制双向硬件级隔离:(i)安全敏感的应用程序被屏蔽在受损的正常世界操作系统中,同时(ii)系统也被保护免受潜在的恶意应用程序的隔离。此外,将对安全敏感的应用程序从TrustZone的安全世界转移到隔离的隔间可以最大限度地减少TEE的攻击面。因此,设备供应商和开发人员之间的相互信任关系变得过时了:tee的全部潜力可以被利用。通过在HiKey 960开发板上使用微基准测试和双因素身份验证一次性密码生成用例彻底评估我们的原型,我们展示了SANCTUARY的实用性和现实世界的好处。
{"title":"SANCTUARY: ARMing TrustZone with User-space Enclaves","authors":"Ferdinand Brasser, David Gens, Patrick Jauernig, A. Sadeghi, Emmanuel Stapf","doi":"10.14722/ndss.2019.23448","DOIUrl":"https://doi.org/10.14722/ndss.2019.23448","url":null,"abstract":"ARM TrustZone is one of the most widely deployed security architecture providing Trusted Execution Environments (TEEs). Unfortunately, its usage and potential benefits for application developers and end users are largely limited due to restricted deployment policies imposed by device vendors. Restriction is enforced since every Trusted App (TA) increases the TEE’s attack surface: any vulnerable or malicious TA can compromise the system’s security. Hence, deploying a TA requires mutual trust between device vendor and application developer, incurring high costs for both. Vendors work around this by offering interfaces to selected TEE functionalities, however, these are not sufficient to securely implement advanced mobile services like banking. Extensive discussion of Intel’s SGX technology in academia and industry has unveiled the demand for an unrestricted use of TEEs, yet no comparable security architecture for mobile devices exists to this day. We propose SANCTUARY, the first security architecture which allows unconstrained use of TEEs in the TrustZone ecosystem without relying on virtualization. SANCTUARY enables execution of security-sensitive apps within strongly isolated compartments in TrustZone’s normal world comparable to SGX’s user-space enclaves. In particular, we leverage TrustZone’s versatile AddressSpace Controller available in current ARM System-on-Chip reference designs, to enforce two-way hardware-level isolation: (i) security-sensitive apps are shielded against a compromised normal-world OS, while (ii) the system is also protected from potentially malicious apps in isolated compartments. Moreover, moving security-sensitive apps from the TrustZone’s secure world to isolated compartments minimizes the TEE’s attack surface. Thus, mutual trust relationships between device vendors and developers become obsolete: the full potential of TEEs can be leveraged. We demonstrate practicality and real-world benefits of SANCTUARY by thoroughly evaluating our prototype on a HiKey 960 development board with microbenchmarks and a use case for one-time password generation in two-factor authentication.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":"164 9 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86699052","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-02-01DOI: 10.14722/NDSS.2019.23068
Samuel Weiser, M. Werner, Ferdinand Brasser, Maja Malenko, S. Mangard, A. Sadeghi
Embedded computing devices are used on a large scale in the emerging internet of things (IoT). However, their wide deployment raises the incentive for attackers to target these devices, as demonstrated by several recent attacks. As IoT devices are built for long service life, means are required to protect sensitive code in the presence of potential vulnerabilities, which might be discovered long after deployment. Tagged memory has been proposed as a mechanism to enforce various fine-grained security policies at runtime. However, none of the existing tagged memory schemes provides efficient and flexible compartmentalization in terms of isolated execution environments. We present TIMBER-V, a new tagged memory architecture featuring flexible and efficient isolation of code and data on small embedded systems. We overcome several limitations of previous schemes. We augment tag isolation with a memory protection unit to isolate individual processes, while maintaining low memory overhead. TIMBER-V significantly reduces the problem of memory fragmentation, and improves dynamic reuse of untrusted memory across security boundaries. TIMBER-V enables novel sharing of execution stacks across different security domains, in addition to interleaved heaps. TIMBER-V is compatible to existing code, supports real-time constraints and is open source. We show the efficiency of TIMBER-V by evaluating our proofof-concept implementation on the RISC-V simulator.
{"title":"TIMBER-V: Tag-Isolated Memory Bringing Fine-grained Enclaves to RISC-V","authors":"Samuel Weiser, M. Werner, Ferdinand Brasser, Maja Malenko, S. Mangard, A. Sadeghi","doi":"10.14722/NDSS.2019.23068","DOIUrl":"https://doi.org/10.14722/NDSS.2019.23068","url":null,"abstract":"Embedded computing devices are used on a large scale in the emerging internet of things (IoT). However, their wide deployment raises the incentive for attackers to target these devices, as demonstrated by several recent attacks. As IoT devices are built for long service life, means are required to protect sensitive code in the presence of potential vulnerabilities, which might be discovered long after deployment. Tagged memory has been proposed as a mechanism to enforce various fine-grained security policies at runtime. However, none of the existing tagged memory schemes provides efficient and flexible compartmentalization in terms of isolated execution environments. We present TIMBER-V, a new tagged memory architecture featuring flexible and efficient isolation of code and data on small embedded systems. We overcome several limitations of previous schemes. We augment tag isolation with a memory protection unit to isolate individual processes, while maintaining low memory overhead. TIMBER-V significantly reduces the problem of memory fragmentation, and improves dynamic reuse of untrusted memory across security boundaries. TIMBER-V enables novel sharing of execution stacks across different security domains, in addition to interleaved heaps. TIMBER-V is compatible to existing code, supports real-time constraints and is open source. We show the efficiency of TIMBER-V by evaluating our proofof-concept implementation on the RISC-V simulator.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":"32 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73285928","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-01-07DOI: 10.14722/ndss.2019.23420
Tigist Abera, Raad Bahmani, Ferdinand Brasser, Ahmad Ibrahim, A. Sadeghi, M. Schunter
Networks of autonomous collaborative embedded systems are emerging in many application domains such as vehicular ad-hoc networks, robotic factory workers, search/rescue robots, delivery and search drones. To perform their collaborative tasks the involved devices exchange various types of information such as sensor data, status information, and commands. For the correct operation of these complex systems each device must be able to verify that the data coming from other devices is correct and has not been maliciously altered. In this paper, we present DIAT – a novel approach that allows to verify the correctness of data by attesting the correct generation as well as processing of data using control-flow attestation. DIAT enables devices in autonomous collaborative networks to securely and efficiently interact, relying on a minimal TCB. It ensures that the data sent from one device to another device is not maliciously changed, neither during transport nor during generation or processing on the originating device. Data exchanged between devices in the network is therefore authenticated along with a proof of integrity of all software involved in its generation and processing. To enable this, the embedded devices’ software is decomposed into simple interacting modules reducing the amount and complexity of software that needs to be attested, i.e., only those modules that process the data are relevant. As a proof of concept we implemented and evaluated our scheme DIAT on a state-of-the-art flight controller for drones. Furthermore, we evaluated our scheme in a simulation environment to demonstrate its scalability for large-scale systems.
{"title":"DIAT: Data Integrity Attestation for Resilient Collaboration of Autonomous Systems","authors":"Tigist Abera, Raad Bahmani, Ferdinand Brasser, Ahmad Ibrahim, A. Sadeghi, M. Schunter","doi":"10.14722/ndss.2019.23420","DOIUrl":"https://doi.org/10.14722/ndss.2019.23420","url":null,"abstract":"Networks of autonomous collaborative embedded systems are emerging in many application domains such as vehicular ad-hoc networks, robotic factory workers, search/rescue robots, delivery and search drones. To perform their collaborative tasks the involved devices exchange various types of information such as sensor data, status information, and commands. For the correct operation of these complex systems each device must be able to verify that the data coming from other devices is correct and has not been maliciously altered. In this paper, we present DIAT – a novel approach that allows to verify the correctness of data by attesting the correct generation as well as processing of data using control-flow attestation. DIAT enables devices in autonomous collaborative networks to securely and efficiently interact, relying on a minimal TCB. It ensures that the data sent from one device to another device is not maliciously changed, neither during transport nor during generation or processing on the originating device. Data exchanged between devices in the network is therefore authenticated along with a proof of integrity of all software involved in its generation and processing. To enable this, the embedded devices’ software is decomposed into simple interacting modules reducing the amount and complexity of software that needs to be attested, i.e., only those modules that process the data are relevant. As a proof of concept we implemented and evaluated our scheme DIAT on a state-of-the-art flight controller for drones. Furthermore, we evaluated our scheme in a simulation environment to demonstrate its scalability for large-scale systems.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":"16 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-01-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91150279","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-01-01DOI: 10.14722/ndss.2019.23462
Tohid Shekari, C. Bayens, Morris Cohen, L. Graber, R. Beyah
{"title":"RFDIDS: Radio Frequency-based Distributed Intrusion Detection System for the Power Grid","authors":"Tohid Shekari, C. Bayens, Morris Cohen, L. Graber, R. Beyah","doi":"10.14722/ndss.2019.23462","DOIUrl":"https://doi.org/10.14722/ndss.2019.23462","url":null,"abstract":"","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":"13 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82633843","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: