In this paper, we consider the problem of privacy-preserving release of function outputs that take private information as input. Disease susceptibilities are known to be associated with clinical features (e.g., age, sex) as well as genetic features represented by SNPs of individuals. Releasing outputs are not privacy-preserving if the private input can be uniquely identified by probabilistic inference using the outputs. To release useful outputs with preserving privacy, we present a mechanism that releases an interval as output, instead of an output value. We suppose adversaries perform probabilistic inference using released outputs to sharpen the posterior distribution of the target attributes. Then, our mechanism has two significant properties. First, when our mechanism provides the output, the increase of the adversary's posterior on any input attribute is upper-bounded by a prescribed level. Second, under this privacy constraint, the mechanism can provide the narrowest (optimal) interval that includes the true output. Building such a mechanism is often intractable. We formulate the design of the mechanism as a discrete constraint optimization problem so that it is solvable in a practical computation time. We also propose an algorithm to obtain the optimal mechanism based on dynamic programming. After applying our mechanism to release disease susceptibilities of obesity, we demonstrate that our mechanism performs better than existing methods in terms of privacy and utility.
{"title":"Privacy-preserving and Optimal Interval Release for Disease Susceptibility","authors":"Kosuke Kusano, I. Takeuchi, Jun Sakuma","doi":"10.1145/3052973.3053021","DOIUrl":"https://doi.org/10.1145/3052973.3053021","url":null,"abstract":"In this paper, we consider the problem of privacy-preserving release of function outputs that take private information as input. Disease susceptibilities are known to be associated with clinical features (e.g., age, sex) as well as genetic features represented by SNPs of individuals. Releasing outputs are not privacy-preserving if the private input can be uniquely identified by probabilistic inference using the outputs. To release useful outputs with preserving privacy, we present a mechanism that releases an interval as output, instead of an output value. We suppose adversaries perform probabilistic inference using released outputs to sharpen the posterior distribution of the target attributes. Then, our mechanism has two significant properties. First, when our mechanism provides the output, the increase of the adversary's posterior on any input attribute is upper-bounded by a prescribed level. Second, under this privacy constraint, the mechanism can provide the narrowest (optimal) interval that includes the true output. Building such a mechanism is often intractable. We formulate the design of the mechanism as a discrete constraint optimization problem so that it is solvable in a practical computation time. We also propose an algorithm to obtain the optimal mechanism based on dynamic programming. After applying our mechanism to release disease susceptibilities of obesity, we demonstrate that our mechanism performs better than existing methods in terms of privacy and utility.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"79 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82188936","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Cross-VM attacks have emerged as a major threat on commercial clouds. These attacks commonly exploit hardware level leakages on shared physical servers. A co-located machine can readily feel the presence of a co-located instance with a heavy computational load through performance degradation due to contention on shared resources. Shared cache architectures such as the last level cache (LLC) have become a popular leakage source to mount cross-VM attack. By exploiting LLC leakages, researchers have already shown that it is possible to recover fine grain information such as cryptographic keys from popular software libraries. This makes it essential to verify implementations that handle sensitive data across the many versions and numerous target platforms, a task too complicated, error prone and costly to be handled by human beings. Here we propose a machine learning based technique to classify applications according to their cache access profiles. We show that with minimal and simple manual processing steps feature vectors can be used to train models using support vector machines to classify the applications with a high degree of success. The profiling and training steps are completely automated and do not require any inspection or study of the code to be classified. In native execution, we achieve a successful classification rate as high as 98% (L1 cache) and 78% (LLC) over 40 benchmark applications in the Phoronix suite with mild training. In the cross-VM setting on the noisy Amazon EC2 the success rate drops to 60% for a suite of 25 applications. With this initial study we demonstrate that it is possible to train meaningful models to successfully predict applications running in co-located instances.
{"title":"Cache-Based Application Detection in the Cloud Using Machine Learning","authors":"Berk Gülmezoglu, T. Eisenbarth, B. Sunar","doi":"10.1145/3052973.3053036","DOIUrl":"https://doi.org/10.1145/3052973.3053036","url":null,"abstract":"Cross-VM attacks have emerged as a major threat on commercial clouds. These attacks commonly exploit hardware level leakages on shared physical servers. A co-located machine can readily feel the presence of a co-located instance with a heavy computational load through performance degradation due to contention on shared resources. Shared cache architectures such as the last level cache (LLC) have become a popular leakage source to mount cross-VM attack. By exploiting LLC leakages, researchers have already shown that it is possible to recover fine grain information such as cryptographic keys from popular software libraries. This makes it essential to verify implementations that handle sensitive data across the many versions and numerous target platforms, a task too complicated, error prone and costly to be handled by human beings. Here we propose a machine learning based technique to classify applications according to their cache access profiles. We show that with minimal and simple manual processing steps feature vectors can be used to train models using support vector machines to classify the applications with a high degree of success. The profiling and training steps are completely automated and do not require any inspection or study of the code to be classified. In native execution, we achieve a successful classification rate as high as 98% (L1 cache) and 78% (LLC) over 40 benchmark applications in the Phoronix suite with mild training. In the cross-VM setting on the noisy Amazon EC2 the success rate drops to 60% for a suite of 25 applications. With this initial study we demonstrate that it is possible to train meaningful models to successfully predict applications running in co-located instances.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"19 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77224571","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
To protect smartphones from unauthorized access, the user has the option to activate authentication mechanisms : PIN, Password, or Pattern. Unfortunately, these mechanisms are vulnerable to shoulder-surfing, smudge and snooping attacks. Even the traditional biometric based systems such as fingerprint or face, also could be bypassed. In order to protect smartphones data against these sort of attacks, we propose a behavioral biometric authentication framework that leverages the user's behavioral patterns such as touchscreen actions, keystroke, application used and sensor data to authenticate smartphone users. To evaluate the framework, we conducted a field study in which we instrumented the Android OS and collected data from 52 participants during 30-day period. We present the prototype of our framework and we are working on its components to select the best features set that can be used to build different modalities to authenticate users on different contexts. To this end, we developed only one modality, a gesture authentication modality, which authenticate smartphone users based on touch gesture. We evaluated this authentication modality on about 3 million gesture samples based on two schemes, classification scheme with EER~0.004, and anomaly detection scheme with EER~0.10.
{"title":"A Behavioral Biometric Authentication Framework on Smartphones","authors":"Ahmed M. Mahfouz, Tarek M. Mahmoud, A. Eldin","doi":"10.1145/3052973.3055160","DOIUrl":"https://doi.org/10.1145/3052973.3055160","url":null,"abstract":"To protect smartphones from unauthorized access, the user has the option to activate authentication mechanisms : PIN, Password, or Pattern. Unfortunately, these mechanisms are vulnerable to shoulder-surfing, smudge and snooping attacks. Even the traditional biometric based systems such as fingerprint or face, also could be bypassed. In order to protect smartphones data against these sort of attacks, we propose a behavioral biometric authentication framework that leverages the user's behavioral patterns such as touchscreen actions, keystroke, application used and sensor data to authenticate smartphone users. To evaluate the framework, we conducted a field study in which we instrumented the Android OS and collected data from 52 participants during 30-day period. We present the prototype of our framework and we are working on its components to select the best features set that can be used to build different modalities to authenticate users on different contexts. To this end, we developed only one modality, a gesture authentication modality, which authenticate smartphone users based on touch gesture. We evaluated this authentication modality on about 3 million gesture samples based on two schemes, classification scheme with EER~0.004, and anomaly detection scheme with EER~0.10.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"17 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77230442","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Xavier Carpent, Karim M. El Defrawy, Norrathep Rattanavipanon, G. Tsudik
In the last decade, Remote Attestation (RA) emerged as a distinct security service for detecting attacks on embedded devices, cyber-physical systems (CPS) and Internet of Things (IoT) devices. RA involves verification of current internal state of an untrusted remote hardware platform (prover) by a trusted entity (verifier). RA can help the latter establish a static or dynamic root of trust in the prover and can also be used to construct other security services, such as software updates and secure deletion. Various RA techniques with different assumptions, security features and complexities, have been proposed for the single-prover scenario. However, the advent of IoT brought about the paradigm of many interconnected devices, thus triggering the need for efficient collective attestation of a (possibly mobile) group or swarm of provers. Though recent work has yielded some initial concepts for swarm attestation, several key issues remain unaddressed, and practical realizations have not been explored. This paper's main goal is to advance swarm attestation by bringing it closer to reality. To this end, it makes two contributions: (1) a new metric, called QoSA: Quality of Swarm Attestation, that captures the information offered by a swarm attestation technique; this allows comparing efficacy of multiple protocols, and (2) two practical attestation protocols -- called LISAa and LISAs -- for mobile swarms, with different QoSA features and communication and computation complexities. Security of proposed protocols is analyzed and their performance is assessed based on experiments with prototype implementations.
{"title":"Lightweight Swarm Attestation: A Tale of Two LISA-s","authors":"Xavier Carpent, Karim M. El Defrawy, Norrathep Rattanavipanon, G. Tsudik","doi":"10.1145/3052973.3053010","DOIUrl":"https://doi.org/10.1145/3052973.3053010","url":null,"abstract":"In the last decade, Remote Attestation (RA) emerged as a distinct security service for detecting attacks on embedded devices, cyber-physical systems (CPS) and Internet of Things (IoT) devices. RA involves verification of current internal state of an untrusted remote hardware platform (prover) by a trusted entity (verifier). RA can help the latter establish a static or dynamic root of trust in the prover and can also be used to construct other security services, such as software updates and secure deletion. Various RA techniques with different assumptions, security features and complexities, have been proposed for the single-prover scenario. However, the advent of IoT brought about the paradigm of many interconnected devices, thus triggering the need for efficient collective attestation of a (possibly mobile) group or swarm of provers. Though recent work has yielded some initial concepts for swarm attestation, several key issues remain unaddressed, and practical realizations have not been explored. This paper's main goal is to advance swarm attestation by bringing it closer to reality. To this end, it makes two contributions: (1) a new metric, called QoSA: Quality of Swarm Attestation, that captures the information offered by a swarm attestation technique; this allows comparing efficacy of multiple protocols, and (2) two practical attestation protocols -- called LISAa and LISAs -- for mobile swarms, with different QoSA features and communication and computation complexities. Security of proposed protocols is analyzed and their performance is assessed based on experiments with prototype implementations.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"24 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81843710","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Chu et al. (ASIACCS 2012) proposed group signature with time-bound keys (GS-TBK) where each signing key is associated to an expiry time τ. In addition to prove the membership of the group, a signer needs to prove that the expiry time has not passed, i.e., t<τ where t is the current time. A signer whose expiry time has passed is automatically revoked, and this revocation is called natural revocation. Simultaneously, signers can be revoked before their expiry times have passed due to the compromise of the credential. This revocation is called premature revocation. A nice property of the Chu et al. proposal is that the size of revocation lists can be reduced compared to those of Verifier-Local Revocation (VLR) group signature schemes, by assuming that natural revocation accounts for most of signer revocations in practice, and prematurely revoked signers are only a small fraction. In this paper, we point out that the definition of traceability of Chu et al. did not capture unforgeability of expiry time of signing keys which guarantees that no adversary who has a signing key associated to an expiry time τ can compute a valid signature after τ has passed. We introduce a security model that captures unforgeability, and propose a GS-TBK scheme secure in the new model. Our scheme also provides the constant signing costs whereas those of the previous schemes depend on the bit-length of the time representation. Finally, we give implementation results, and show that our scheme is feasible in practical settings.
{"title":"Group Signatures with Time-bound Keys Revisited: A New Model and an Efficient Construction","authors":"K. Emura, Takuya Hayashi, Ai Ishida","doi":"10.1145/3052973.3052979","DOIUrl":"https://doi.org/10.1145/3052973.3052979","url":null,"abstract":"Chu et al. (ASIACCS 2012) proposed group signature with time-bound keys (GS-TBK) where each signing key is associated to an expiry time τ. In addition to prove the membership of the group, a signer needs to prove that the expiry time has not passed, i.e., t<τ where t is the current time. A signer whose expiry time has passed is automatically revoked, and this revocation is called natural revocation. Simultaneously, signers can be revoked before their expiry times have passed due to the compromise of the credential. This revocation is called premature revocation. A nice property of the Chu et al. proposal is that the size of revocation lists can be reduced compared to those of Verifier-Local Revocation (VLR) group signature schemes, by assuming that natural revocation accounts for most of signer revocations in practice, and prematurely revoked signers are only a small fraction. In this paper, we point out that the definition of traceability of Chu et al. did not capture unforgeability of expiry time of signing keys which guarantees that no adversary who has a signing key associated to an expiry time τ can compute a valid signature after τ has passed. We introduce a security model that captures unforgeability, and propose a GS-TBK scheme secure in the new model. Our scheme also provides the constant signing costs whereas those of the previous schemes depend on the bit-length of the time representation. Finally, we give implementation results, and show that our scheme is feasible in practical settings.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"7 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87060374","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We discuss the use of formal modeling to discover potential attacks on Cyber-Physical systems, in particular Industrial Control Systems. We propose a general approach to achieve that goal considering physical-layer interactions, time and state discretization of the physical process and logic, and the use of suitable attacker profiles. We then apply the approach to model a real-world water treatment testbed using ASLan++ and analyze the resulting transition system using CL-AtSe, identifying four attack classes. To show that the attacks identified by our formal assessment represent valid attacks, we compare them against practical attacks on the same system found independently by six teams from industry and academia. We find that 7 out of the 8 practical attacks were also identified by our formal assessment. We discuss limitations resulting from our chosen level of abstraction, and a number of modeling shortcuts to reduce the runtime of the analysis.
{"title":"Towards Formal Security Analysis of Industrial Control Systems","authors":"M. Rocchetto, Nils Ole Tippenhauer","doi":"10.1145/3052973.3053024","DOIUrl":"https://doi.org/10.1145/3052973.3053024","url":null,"abstract":"We discuss the use of formal modeling to discover potential attacks on Cyber-Physical systems, in particular Industrial Control Systems. We propose a general approach to achieve that goal considering physical-layer interactions, time and state discretization of the physical process and logic, and the use of suitable attacker profiles. We then apply the approach to model a real-world water treatment testbed using ASLan++ and analyze the resulting transition system using CL-AtSe, identifying four attack classes. To show that the attacks identified by our formal assessment represent valid attacks, we compare them against practical attacks on the same system found independently by six teams from industry and academia. We find that 7 out of the 8 practical attacks were also identified by our formal assessment. We discuss limitations resulting from our chosen level of abstraction, and a number of modeling shortcuts to reduce the runtime of the analysis.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"184 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83450328","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Seunghun Cha, Sungsu Kwag, Hyoungshick Kim, J. Huh
Android allows 20 consecutive fail attempts on unlocking a device. This makes it difficult for pure guessing attacks to crack user patterns on a stolen device before it permanently locks itself. We investigate the effectiveness of combining Markov model-based guessing attacks with smudge attacks on unlocking Android devices within 20 attempts. Detected smudges are used to pre-compute all the possible segments and patterns, significantly reducing the pattern space that needs to be brute-forced. Our Markov-model was trained using 70% of a real-world pattern dataset that consists of 312 patterns. We recruited 12 participants to draw the remaining 30% on Samsung Galaxy S4, and used smudges they left behind to analyze the performance of the combined attack. Our results show that this combined method can significantly improve the performance of pure guessing attacks, cracking 74.17% of patterns compared to just 13.33% when the Markov model-based guessing attack was performed alone---those results were collected from a naive usage scenario where the participants were merely asked to unlock a given device. Even under a more complex scenario that asked the participants to use the Facebook app for a few minutes---obscuring smudges were added as a result---our combined attack, at 31.94%, still outperformed the pure guessing attack at 13.33%. Obscuring smudges can significantly affect the performance of smudge-based attacks. Based on this finding, we recommend that a mitigation technique should be designed to help users add obscurity, e.g., by asking users to draw a second random pattern upon unlocking a device.
{"title":"Boosting the Guessing Attack Performance on Android Lock Patterns with Smudge Attacks","authors":"Seunghun Cha, Sungsu Kwag, Hyoungshick Kim, J. Huh","doi":"10.1145/3052973.3052989","DOIUrl":"https://doi.org/10.1145/3052973.3052989","url":null,"abstract":"Android allows 20 consecutive fail attempts on unlocking a device. This makes it difficult for pure guessing attacks to crack user patterns on a stolen device before it permanently locks itself. We investigate the effectiveness of combining Markov model-based guessing attacks with smudge attacks on unlocking Android devices within 20 attempts. Detected smudges are used to pre-compute all the possible segments and patterns, significantly reducing the pattern space that needs to be brute-forced. Our Markov-model was trained using 70% of a real-world pattern dataset that consists of 312 patterns. We recruited 12 participants to draw the remaining 30% on Samsung Galaxy S4, and used smudges they left behind to analyze the performance of the combined attack. Our results show that this combined method can significantly improve the performance of pure guessing attacks, cracking 74.17% of patterns compared to just 13.33% when the Markov model-based guessing attack was performed alone---those results were collected from a naive usage scenario where the participants were merely asked to unlock a given device. Even under a more complex scenario that asked the participants to use the Facebook app for a few minutes---obscuring smudges were added as a result---our combined attack, at 31.94%, still outperformed the pure guessing attack at 13.33%. Obscuring smudges can significantly affect the performance of smudge-based attacks. Based on this finding, we recommend that a mitigation technique should be designed to help users add obscurity, e.g., by asking users to draw a second random pattern upon unlocking a device.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"57 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90487274","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Password & Auth 1","authors":"Jianying Zhou","doi":"10.1145/3248553","DOIUrl":"https://doi.org/10.1145/3248553","url":null,"abstract":"","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"5 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73134841","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
David M. Sommer, Aritra Dhar, Luka Malisa, Esfandiar Mohammadi, D. Ronzani, Srdjan Capkun
Many privacy-enhancing technologies, in particular anonymous communication networks (ACNs) as a key building block, suffer from a lack of a sufficient number of participants. Without high user participation, ACNs are vulnerable to traffic analysis attacks. The only ACN with a high number of participants (around 1.5 million users) is Tor. Yet, Tor is prone to traffic analysis attacks traffic pattern attacks. While other ACNs have been proposed that are even secure against global attackers, they are not scalable and suffer from a low number of participants, since even a perfect ACN can at most hide a user among all participating users. These ACNs are in a vicious circle: the lack of participants leads to low degree of anonymity, and a low degree of anonymity makes these ACNs unattractive for users. In this work, we break this vicious cycle by studying the question: Can an anonymous communication network be strengthened by "forced" participation? What privacy guarantees and performance can such an ACN provide? We develop CoverUp, a system that "forces" visitors of highly accessed websites (entry servers) to become involuntary participants of an ACN. CoverUp triggers users to participate in a centralized, constant-rate mix by leveraging basic functionality of their browsers to execute (JavaScript) code served by the entry servers. Candidates for entry servers could be universities or news sites. They would let a distinct CoverUp server provide (via an iframe) JavaScript code to the end-users' browsers, which in turn makes them participate in the ACN via a mix server. Visitors of these entry servers' websites become (involuntary) participants of an ACN, creating cover traffic for voluntary participants. For voluntary participants, we developed a browser extension that renders their CoverUp requests indistinguishable from the cover traffic of involuntary participants. We build two applications on top of CoverUp: an anonymous feed and a chat-both use an additional external CoverUp application. As the feed is uni-directional, we do not need to trust more than the client's machine. As the chat is bi-directional, we do need to trust the CoverUp and the mix server. We show that both achieve practical performance and strong privacy properties via experimental evaluations and an analysis. CoverUp renders voluntary and involuntary participants indistinguishable, thereby including all voluntary and involuntary participants into an anonymity set. Given this, CoverUp provides even more than mere anonymity: the voluntary participants can hide the very intention to use the ACN. As the concept of forced participation raises ethical and legal concerns, we discuss these concerns and describe how these can be addressed.
{"title":"CoverUp: Privacy Through \"Forced\" Participation in Anonymous Communication Networks","authors":"David M. Sommer, Aritra Dhar, Luka Malisa, Esfandiar Mohammadi, D. Ronzani, Srdjan Capkun","doi":"10.1145/3052973.3056126","DOIUrl":"https://doi.org/10.1145/3052973.3056126","url":null,"abstract":"Many privacy-enhancing technologies, in particular anonymous communication networks (ACNs) as a key building block, suffer from a lack of a sufficient number of participants. Without high user participation, ACNs are vulnerable to traffic analysis attacks. The only ACN with a high number of participants (around 1.5 million users) is Tor. Yet, Tor is prone to traffic analysis attacks traffic pattern attacks. While other ACNs have been proposed that are even secure against global attackers, they are not scalable and suffer from a low number of participants, since even a perfect ACN can at most hide a user among all participating users. These ACNs are in a vicious circle: the lack of participants leads to low degree of anonymity, and a low degree of anonymity makes these ACNs unattractive for users. In this work, we break this vicious cycle by studying the question: Can an anonymous communication network be strengthened by \"forced\" participation? What privacy guarantees and performance can such an ACN provide? We develop CoverUp, a system that \"forces\" visitors of highly accessed websites (entry servers) to become involuntary participants of an ACN. CoverUp triggers users to participate in a centralized, constant-rate mix by leveraging basic functionality of their browsers to execute (JavaScript) code served by the entry servers. Candidates for entry servers could be universities or news sites. They would let a distinct CoverUp server provide (via an iframe) JavaScript code to the end-users' browsers, which in turn makes them participate in the ACN via a mix server. Visitors of these entry servers' websites become (involuntary) participants of an ACN, creating cover traffic for voluntary participants. For voluntary participants, we developed a browser extension that renders their CoverUp requests indistinguishable from the cover traffic of involuntary participants. We build two applications on top of CoverUp: an anonymous feed and a chat-both use an additional external CoverUp application. As the feed is uni-directional, we do not need to trust more than the client's machine. As the chat is bi-directional, we do need to trust the CoverUp and the mix server. We show that both achieve practical performance and strong privacy properties via experimental evaluations and an analysis. CoverUp renders voluntary and involuntary participants indistinguishable, thereby including all voluntary and involuntary participants into an anonymity set. Given this, CoverUp provides even more than mere anonymity: the voluntary participants can hide the very intention to use the ACN. As the concept of forced participation raises ethical and legal concerns, we discuss these concerns and describe how these can be addressed.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"63 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73028916","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Since its inauguration in 2006 in Taipei, ASIACCS, the ACM Asia Conference on Computer and Communications Security, has become an integral part of scientific community in the field of security and privacy. It has been held in Singapore (2007), Tokyo (2008), Sydney (2009), Beijing (2010), Hong Kong (2011), Seoul (2012), Hangzhou (2013), Kyoto (2014), Singapore (2015), and Xi'an (2016). ASIACCS 2017 takes place in Abu Dhabi and is organized by the New York University Abu Dhabi, UAE. We received 359 submissions, a new record in the conference's decade-long history. This year's Program Committee comprising 108 security researchers from 26 countries, evaluated submissions through a rigorous review procedure. For the first time in the conference's history, a Shadow Program Committee (SPC), composed of 27 security researchers from 14 countries, was introduced. The task of the SPC members was to comment on the reviews made by the PC members, in addition to reviewing the corresponding papers. On the one hand, the SPC comments greatly helped to significantly enhance the quality the many reviews. On the other hand, to provide the anonymity for SPC members, they could not directly debate with the PC members, which was largely due to technological limitations: HotCRP (or any review software for that matter) is not designed to have some accounts only seeing some information. We had a discussion of doubleblind vs. single-blind requirements. One of our main goals when designing the system was to ensure that junior reviewers in the SPC could raise criticism of senior reviewers with impunity. Despite the management effort, we believe that implementing the SPC concept was successful. We also learned useful lessons on how to improve it. After the review process concluded, 67 full papers were accepted to be presented at the conference, representing an acceptance rate of about 18%. In addition, 4 short papers and 10 posters/demos were also included in the program. We have a strong technical program along with 5 specialized pre-conference workshops, three tutorials and an invited talk track that is introduced this year. The pre-conference workshops are 4th ACM ASIA Public-Key Cryptography Workshop (APKC 2017), ACM Workshop on Blockchain, Cryptocurrencies and Contracts (BCC'17), 3rd ACM Cyber-Physical System Security Workshop (CPSS 2017), 3rd International Workshop on IoT Privacy, Trust, and Security (IoTPTS 2017), 4th International Workshop on Security in Cloud Computing (SCC). We are fortunate to have distinguished keynote and invited speakers as well as tutorial lecturers who will present insights into current and future security and privacy research trends. There are three keynotes: Ross Anderson (University of Cambridge, UK), Christof Paar (Ruhr-University Bochum, Germany), and Gregory Neal Akers (Senior Vice President, Cisco Systems). Additionally, there are six invited talks by Mustaque Ahamad (Georgia Institute of Technology, US), Srdjan Capkun (E
{"title":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","authors":"R. Karri, O. Sinanoglu, A. Sadeghi, X. Yi","doi":"10.1145/3052973","DOIUrl":"https://doi.org/10.1145/3052973","url":null,"abstract":"Since its inauguration in 2006 in Taipei, ASIACCS, the ACM Asia Conference on Computer and Communications Security, has become an integral part of scientific community in the field of security and privacy. It has been held in Singapore (2007), Tokyo (2008), Sydney (2009), Beijing (2010), Hong Kong (2011), Seoul (2012), Hangzhou (2013), Kyoto (2014), Singapore (2015), and Xi'an (2016). \u0000 \u0000ASIACCS 2017 takes place in Abu Dhabi and is organized by the New York University Abu Dhabi, UAE. We received 359 submissions, a new record in the conference's decade-long history. This year's Program Committee comprising 108 security researchers from 26 countries, evaluated submissions through a rigorous review procedure. For the first time in the conference's history, a Shadow Program Committee (SPC), composed of 27 security researchers from 14 countries, was introduced. The task of the SPC members was to comment on the reviews made by the PC members, in addition to reviewing the corresponding papers. On the one hand, the SPC comments greatly helped to significantly enhance the quality the many reviews. On the other hand, to provide the anonymity for SPC members, they could not directly debate with the PC members, which was largely due to technological limitations: HotCRP (or any review software for that matter) is not designed to have some accounts only seeing some information. We had a discussion of doubleblind vs. single-blind requirements. One of our main goals when designing the system was to ensure that junior reviewers in the SPC could raise criticism of senior reviewers with impunity. Despite the management effort, we believe that implementing the SPC concept was successful. We also learned useful lessons on how to improve it. \u0000 \u0000After the review process concluded, 67 full papers were accepted to be presented at the conference, representing an acceptance rate of about 18%. In addition, 4 short papers and 10 posters/demos were also included in the program. \u0000 \u0000We have a strong technical program along with 5 specialized pre-conference workshops, three tutorials and an invited talk track that is introduced this year. \u0000 \u0000The pre-conference workshops are 4th ACM ASIA Public-Key Cryptography Workshop (APKC 2017), ACM Workshop on Blockchain, Cryptocurrencies and Contracts (BCC'17), 3rd ACM Cyber-Physical System Security Workshop (CPSS 2017), 3rd International Workshop on IoT Privacy, Trust, and Security (IoTPTS 2017), 4th International Workshop on Security in Cloud Computing (SCC). \u0000 \u0000We are fortunate to have distinguished keynote and invited speakers as well as tutorial lecturers who will present insights into current and future security and privacy research trends. There are three keynotes: Ross Anderson (University of Cambridge, UK), Christof Paar (Ruhr-University Bochum, Germany), and Gregory Neal Akers (Senior Vice President, Cisco Systems). Additionally, there are six invited talks by Mustaque Ahamad (Georgia Institute of Technology, US), Srdjan Capkun (E","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"51 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"72578454","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}